There are several security issues for python plugin code

Bug #1590761 reported by Oleksandr Balenko on 2016-06-09
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Hua Zhihao

Bug Description

1. Analyze plugin code of fuel-plugin-xenserver-3.1-3.1.2-1.noarch.rpm with bandit tool

Actual result:

There are several security issues

Expected result:
No security issues.

information type: Private Security → Public Security
information type: Public Security → Public
information type: Public → Public Security
information type: Public Security → Private Security
Revision history for this message
Bob Ball (bob-ball) wrote :

17:26:06 >> Issue: [B411:blacklist] Using xmlrpclib to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.

I am not aware of a way this could be exploited. The XML is all returned (and created) by XAPI, so is not from an untrusted source. Even if a plugin were to return some XML content, this would be wrapped by XAPI. The caller of would potentially be affected, but the code in should not be exploitable.

17:26:06 >> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
17:26:06 >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.

We’re not invoking subprocess with any user-supplied input; I therefore can't currently see a way for this to be exploited?

17:26:06 >> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.

As this is running in the deployment context, this is by definition being run by an administrator. I believe there should not be any possible access (other than by a known-trusted administrator) to the compute nodes during deployment, therefore I believe this shouldn’t be exploitable.

17:26:06 >> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().

Since we are loading a yaml file either written by MOS or modified by an administrator, I think this should be considered a trusted source.

We have already started on a patch, in public, to address some of these issues:

As we are not aware of any way these issues can be exploited, I suggest we remove the private label and work on this in the open?

Revision history for this message
Oleksandr Balenko (obalenko) wrote :

ok, make the issue as public.

information type: Private Security → Public
Revision history for this message
Irina Povolotskaya (ipovolotskaya) wrote :

Bob, please specify the Closes-Bug tag in your commit message here:
and mark the bug status as In Progress.

Revision history for this message
Bob Ball (bob-ball) wrote :

John will update the commit message to reference this bug.

Changed in fuel-plugin-xenserver:
status: New → In Progress
assignee: nobody → John Hua (john-hua)
importance: Undecided → High
Bob Ball (bob-ball) on 2016-06-21
Changed in fuel-plugin-xenserver:
status: In Progress → Fix Committed
Bob Ball (bob-ball) on 2016-11-28
Changed in fuel-plugin-xenserver:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers