Pickle usages in packages related to remote ssh should be marked as nosec for bandit

Bug #1552465 reported by Michael McCune
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Sahara
Fix Released
Low
Michael McCune

Bug Description

The modules sahara.cli.sahara_subprocess and sahara.utils.procutils both use the pickle package to aid in deploying remote ssh commands to the nodes of a sahara cluster. The pickled objects sent to the nodes is almost entirely controlled by sahara. Even with that, there is still some possibility that the usage of pickle could be dangerous.

At this time, the modules should have their usages of pickle marked as nosec according to the bandit documentation[1], and they should also be marked with TODOs to investigate alternative usages to improve the security hardening in this area.

[1]: https://github.com/openstack/bandit/blob/master/README.rst#exclusions

Tags: bandit
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to sahara (master)

Fix proposed to branch: master
Review: https://review.openstack.org/287522

Changed in sahara:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to sahara (master)

Reviewed: https://review.openstack.org/287522
Committed: https://git.openstack.org/cgit/openstack/sahara/commit/?id=1deef56cc68d58a04964637aa8fa134c94eece6f
Submitter: Jenkins
Branch: master

commit 1deef56cc68d58a04964637aa8fa134c94eece6f
Author: Michael McCune <email address hidden>
Date: Wed Mar 2 19:08:04 2016 -0500

    add nosec to remote ssh pickle usages

    this change will suppress the warnings from bandit about the pickle
    usages in the remote ssh related modules. this also adds TODO items to
    remind of future investigation.

    Change-Id: Iefd8fd240189a5a4e35c2ee433ba0a8ed899da91
    Closes-Bug: 1552465

Changed in sahara:
status: In Progress → Fix Released
Changed in sahara:
milestone: none → mitaka-3
Revision history for this message
Doug Hellmann (doug-hellmann) wrote : Fix included in openstack/sahara 4.0.0.0b3

This issue was fixed in the openstack/sahara 4.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.