A completely secure alternative isn't available in the Python standard library. Here's a table of various XML libraries and the vulnerabilities they may be affected by [1]. This is partially reflected in Python's official documentation as well (version 2.7.12) [2].
There are currently 132 references to "xml.etree.ElementTree" alone in OpenStack projects [3]. Granted, most of these examples aren't likely to have serious security ramifications, but the potential is there (see the Glance OVF bug mentioned by Travis for a relatively mild example). XML is definitely on the decline, but for the remaining stragglers, having a secure, stable solution might be a good idea. The codebase of defusedxml is fairly small, basically just replacing a few vulnerable functions in popular XML libraries with more secure versions. Might it be something OpenStack could maintain a fork of? Since the bandit documentation suggests using defusedxml as a mitigation for these issues, we should at least figure out an alternative suggestion for bandit to provide if defusedxml doesn't meet OpenStack's needs. [1]: https://pypi.python.org/pypi/defusedxml#python-xml-libraries [2]: https://docs.python.org/2/library/xml.html#xml-vulnerabilities [3]: https://github.com/search?utf8=%E2%9C%93&q=org%3Aopenstack+%22xml.etree.elementtree%22+language%3Apython&type=Code&ref=searchresults Charles Neill From: Travis McPeak <travis.mcp...@gmail.com<mailto:travis.mcp...@gmail.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Date: Tuesday, September 27, 2016 at 13:45 To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev@lists.openstack.org<mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements There is a private security bug about it right now too. No, not all XML libraries are immune now. On Tue, Sep 27, 2016 at 11:36 AM, Dave Walker <em...@daviey.com<mailto:em...@daviey.com>> wrote: On 27 September 2016 at 19:19, Sean Dague <s...@dague.net<mailto:s...@dague.net>> wrote: On 09/27/2016 01:24 PM, Travis McPeak wrote: > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) > that can be performed when XML is parsed from untrusted input. > DefusedXML offers safe alternatives to XML parsing libraries but is not > currently part of global requirements. > > I propose adding DefusedXML to global requirements so that projects have > an option for safe XML parsing. Does anybody have any thoughts or > objections? Out of curiosity, are there specific areas of concern in existing projects here? Most projects have dropped XML API support. Outbound XML datasources which are parsed still used with at least nova vmware support and multiple cinder drivers. openstack/ec2-api is still providing an xml api service? -- Kind Regards, Dave Walker __________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Travis
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
