Bandit

advice on defusedxml but that is not in global-requiriments

Bug #1550161 reported by Andreas Jaeger
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Bandit
Incomplete
Low
Unassigned

Bug Description

Got in glance this advise:

>> Issue: [blacklist_calls] Using xml.etree.ElementTree.iterparse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.iterparse with it's defusedxml equivilent function.
2016-02-26 06:28:40.208 | Severity: Medium Confidence: High
2016-02-26 06:28:40.208 | Location: glance/async/flows/ovf_process.py:185
2016-02-26 06:28:40.208 | 183 disk_filename, file_elements, file_ref = None, None, None
2016-02-26 06:28:40.208 | 184 properties = {}
2016-02-26 06:28:40.208 | 185 for event, elem in ET.iterparse(ovf):
2016-02-26 06:28:40.208 | 186 if event == 'end':
2016-02-26 06:28:40.208 | 187 ns, tag = _get_namespace_and_tag(elem.tag)
2016-02-26 06:28:40.208 |

but defusedxml is not in global-requirements and thus cannot be used in projects. Either update the test or update global-requirements.

Revision history for this message
Andreas Jaeger (jaegerandi) wrote :

See also
https://review.openstack.org/#/c/282885/

Revision history for this message
Ian Cordasco (icordasc) wrote :

Correct. It is the best practice advice. While bandit is produced by OpenStack it is also very much in use by communities not involved in OpenStack. I don't think we should change the test. Also, I think openstack/requirements will give us a hassle if we update g-r, but we can try anyway :)

Revision history for this message
Andreas Jaeger (jaegerandi) wrote :

So, should defusedxml disabled by default? or differently asked: What's the best way to disable the test in openstack jobs ?

Revision history for this message
Travis McPeak (travis-mcpeak) wrote :

With the current version of Bandit in PyPI the test can be disabled in the config file by removing the used functions from the list of XML checks.

In the upcoming version of Bandit this will be easier as you can explicitly disable this check by ID the way you would in PEP8. For now please remove the list of XML checks from the blacklist section at the end if you don't want to check them.

I'm happy to synch up with you to help with this.

Revision history for this message
Andreas Jaeger (jaegerandi) wrote :

For glance I just uncommented them from the supplied file.

I'm just suggesting to give sane default for OpenStack, helps with adopting the tool ;)

Revision history for this message
Eric Brown (ericwb) wrote :

I think this will mostly be resolved with Bandit 1.0 where you can simply exclude the offending plugin from the command line. Although you can edit the bandit.yaml today, its unwieldy.

Changed in bandit:
importance: Undecided → Low
Revision history for this message
Stanislaw Pitucha (stanislaw-pitucha) wrote :

I believe this is resolved by bandit 1.0 with a better configuration file.

Have a look at http://docs.openstack.org/developer/bandit/config.html for configuration docs. You can also use the `bandit-config-generator` tool to generate the exceptions you want.

Please let me know if you'd like any assistance with that.

Changed in bandit:
status: New → Incomplete
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.