Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements
A completely secure alternative isn't available in the Python standard library. Here's a table of various XML libraries and the vulnerabilities they may be affected by [1]. This is partially reflected in Python's official documentation as well (version 2.7.12) [2]. There are currently 132 references to "xml.etree.ElementTree" alone in OpenStack projects [3]. Granted, most of these examples aren't likely to have serious security ramifications, but the potential is there (see the Glance OVF bug mentioned by Travis for a relatively mild example). XML is definitely on the decline, but for the remaining stragglers, having a secure, stable solution might be a good idea. The codebase of defusedxml is fairly small, basically just replacing a few vulnerable functions in popular XML libraries with more secure versions. Might it be something OpenStack could maintain a fork of? Since the bandit documentation suggests using defusedxml as a mitigation for these issues, we should at least figure out an alternative suggestion for bandit to provide if defusedxml doesn't meet OpenStack's needs. [1]: https://pypi.python.org/pypi/defusedxml#python-xml-libraries [2]: https://docs.python.org/2/library/xml.html#xml-vulnerabilities [3]: https://github.com/search?utf8=%E2%9C%93&q=org%3Aopenstack+%22xml.etree.elementtree%22+language%3Apython&type=Code&ref=searchresults Charles Neill From: Travis McPeak mailto:travis.mcp...@gmail.com>> Reply-To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Date: Tuesday, September 27, 2016 at 13:45 To: "OpenStack Development Mailing List (not for usage questions)" mailto:openstack-dev@lists.openstack.org>> Subject: Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements There is a private security bug about it right now too. No, not all XML libraries are immune now. On Tue, Sep 27, 2016 at 11:36 AM, Dave Walker mailto:em...@daviey.com>> wrote: On 27 September 2016 at 19:19, Sean Dague mailto:s...@dague.net>> wrote: On 09/27/2016 01:24 PM, Travis McPeak wrote: > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) > that can be performed when XML is parsed from untrusted input. > DefusedXML offers safe alternatives to XML parsing libraries but is not > currently part of global requirements. > > I propose adding DefusedXML to global requirements so that projects have > an option for safe XML parsing. Does anybody have any thoughts or > objections? Out of curiosity, are there specific areas of concern in existing projects here? Most projects have dropped XML API support. Outbound XML datasources which are parsed still used with at least nova vmware support and multiple cinder drivers. openstack/ec2-api is still providing an xml api service? -- Kind Regards, Dave Walker __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe<http://openstack-dev-requ...@lists.openstack.org?subject:unsubscribe> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev -- -Travis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements
On 2016-09-27 11:45:14 -0700 (-0700), Travis McPeak wrote: > There is a private security bug about it right now too. No, not all XML > libraries are immune now. https://launchpad.net/bugs/1625402 which I've just now declassified. -- Jeremy Stanley signature.asc Description: Digital signature __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements
There is a private security bug about it right now too. No, not all XML libraries are immune now. On Tue, Sep 27, 2016 at 11:36 AM, Dave Walker wrote: > > > On 27 September 2016 at 19:19, Sean Dague wrote: > >> On 09/27/2016 01:24 PM, Travis McPeak wrote: >> > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) >> > that can be performed when XML is parsed from untrusted input. >> > DefusedXML offers safe alternatives to XML parsing libraries but is not >> > currently part of global requirements. >> > >> > I propose adding DefusedXML to global requirements so that projects have >> > an option for safe XML parsing. Does anybody have any thoughts or >> > objections? >> >> Out of curiosity, are there specific areas of concern in existing >> projects here? Most projects have dropped XML API support. >> >> > Outbound XML datasources which are parsed still used with at least nova > vmware support and multiple cinder drivers. > > openstack/ec2-api is still providing an xml api service? > > -- > Kind Regards, > Dave Walker > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- -Travis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements
On 27 September 2016 at 19:19, Sean Dague wrote: > On 09/27/2016 01:24 PM, Travis McPeak wrote: > > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) > > that can be performed when XML is parsed from untrusted input. > > DefusedXML offers safe alternatives to XML parsing libraries but is not > > currently part of global requirements. > > > > I propose adding DefusedXML to global requirements so that projects have > > an option for safe XML parsing. Does anybody have any thoughts or > > objections? > > Out of curiosity, are there specific areas of concern in existing > projects here? Most projects have dropped XML API support. > > Outbound XML datasources which are parsed still used with at least nova vmware support and multiple cinder drivers. openstack/ec2-api is still providing an xml api service? -- Kind Regards, Dave Walker __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements
On 09/27/2016 01:24 PM, Travis McPeak wrote: > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) > that can be performed when XML is parsed from untrusted input. > DefusedXML offers safe alternatives to XML parsing libraries but is not > currently part of global requirements. > > I propose adding DefusedXML to global requirements so that projects have > an option for safe XML parsing. Does anybody have any thoughts or > objections? Out of curiosity, are there specific areas of concern in existing projects here? Most projects have dropped XML API support. -Sean -- Sean Dague http://dague.net __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements
We already debated this in https://review.openstack.org/#/c/311857/ All the lessons learned from DefusedXML was already incorporated in various python packages. You can test this theory out by using the test xml(s) in DefusedXML if you wish. Also note that there have been no changes to the source code since 2013 (https://bitbucket.org/tiran/defusedxml/commits/branch/default) Thanks, Dims On Tue, Sep 27, 2016 at 1:24 PM, Travis McPeak wrote: > There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) that > can be performed when XML is parsed from untrusted input. DefusedXML offers > safe alternatives to XML parsing libraries but is not currently part of > global requirements. > > I propose adding DefusedXML to global requirements so that projects have an > option for safe XML parsing. Does anybody have any thoughts or objections? > > Thanks, > -Travis > > __ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > -- Davanum Srinivas :: https://twitter.com/dims __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
[openstack-dev] [Security] XML Attacks and DefusedXML on Global Requirements
There are several attacks (https://pypi.python.org/pypi/defusedxml#id3) that can be performed when XML is parsed from untrusted input. DefusedXML offers safe alternatives to XML parsing libraries but is not currently part of global requirements. I propose adding DefusedXML to global requirements so that projects have an option for safe XML parsing. Does anybody have any thoughts or objections? Thanks, -Travis __ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
