Open Stack

A completely secure alternative isn't available in the Python standard library. Here's a table of various XML libraries and the vulnerabilities they may be affected by [1]. This is partially reflected in Python's official documentation as well (version 2.7.12) [2].

There are currently 132 references to "xml.etree.ElementTree" alone in OpenStack projects [3]. Granted, most of these examples aren't likely to have serious security ramifications, but the potential is there (see the Glance OVF bug mentioned by Travis for a relatively mild example). XML is definitely on the decline, but for the remaining stragglers, having a secure, stable solution might be a good idea. The codebase of defusedxml is fairly small, basically just replacing a few vulnerable functions in popular XML libraries with more secure versions. Might it be something OpenStack could maintain a fork of?

Since the bandit documentation suggests using defusedxml as a mitigation for these issues, we should at least figure out an alternative suggestion for bandit to provide if defusedxml doesn't meet OpenStack's needs.

[1]: https://pypi.python.org/pypi/defusedxml#python-xml-libraries
[2]: https://docs.python.org/2/library/xml.html#xml-vulnerabilities
[3]: https://github.com/search?utf8=%E2%9C%93&q=org%3Aopenstack+%22xml.etree.elementtree%22+language%3Apython&type=Code&ref=searchresults

Charles Neill

From: Travis McPeak <travis.mcpeak at gmail.com<mailto:travis.mcpeak at gmail.com>>
Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Date: Tuesday, September 27, 2016 at 13:45
To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org<mailto:openstack-dev at lists.openstack.org>>
Subject: Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements

There is a private security bug about it right now too.  No, not all XML libraries are immune now.

On Tue, Sep 27, 2016 at 11:36 AM, Dave Walker <email at daviey.com<mailto:email at daviey.com>> wrote:


On 27 September 2016 at 19:19, Sean Dague <sean at dague.net<mailto:sean at dague.net>> wrote:
On 09/27/2016 01:24 PM, Travis McPeak wrote:
> There are several attacks (https://pypi.python.org/pypi/defusedxml#id3)
> that can be performed when XML is parsed from untrusted input.
> DefusedXML offers safe alternatives to XML parsing libraries but is not
> currently part of global requirements.
>
> I propose adding DefusedXML to global requirements so that projects have
> an option for safe XML parsing.  Does anybody have any thoughts or
> objections?

Out of curiosity, are there specific areas of concern in existing
projects here? Most projects have dropped XML API support.


Outbound XML datasources which are parsed still used with at least nova vmware support and multiple cinder drivers.

openstack/ec2-api is still providing an xml api service?

--
Kind Regards,
Dave Walker

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe<http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




--
-Travis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160929/bfd79f08/attachment.html>