There are several security issues for python plugin code

Bug #1590761 reported by Oleksandr Balenko on 2016-06-09
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
fuel-plugin-xenserver
High
Hua Zhihao

Bug Description

1. Analyze plugin code of fuel-plugin-xenserver-3.1-3.1.2-1.noarch.rpm with bandit tool
https://wiki.openstack.org/wiki/Security/Projects/Bandit

Actual result:

There are several security issues http://paste.openstack.org/show/wzjqm2PKyPxauAqKUxcv/

Expected result:
No security issues.

information type: Private Security → Public Security
information type: Public Security → Public
information type: Public → Public Security
information type: Public Security → Private Security
Revision history for this message
Bob Ball (bob-ball) wrote :

17:26:06 >> Issue: [B411:blacklist] Using xmlrpclib to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.

I am not aware of a way this could be exploited. The XML is all returned (and created) by XAPI, so is not from an untrusted source. Even if a plugin were to return some XML content, this would be wrapped by XAPI. The caller of XenAPI.py would potentially be affected, but the code in XenAPI.py should not be exploitable.

17:26:06 >> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
17:26:06 >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.

We’re not invoking subprocess with any user-supplied input; I therefore can't currently see a way for this to be exploited?

17:26:06 >> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.

As this is running in the deployment context, this is by definition being run by an administrator. I believe there should not be any possible access (other than by a known-trusted administrator) to the compute nodes during deployment, therefore I believe this shouldn’t be exploitable.

17:26:06 >> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().

Since we are loading a yaml file either written by MOS or modified by an administrator, I think this should be considered a trusted source.

We have already started on a patch, in public, to address some of these issues:
https://review.openstack.org/#/c/326802/

As we are not aware of any way these issues can be exploited, I suggest we remove the private label and work on this in the open?

Revision history for this message
Oleksandr Balenko (obalenko) wrote :

ok, make the issue as public.

information type: Private Security → Public
Revision history for this message
Irina Povolotskaya (ipovolotskaya) wrote :

Bob, please specify the Closes-Bug tag in your commit message here: https://review.openstack.org/#/c/326802/
and mark the bug status as In Progress.
thanks

Revision history for this message
Bob Ball (bob-ball) wrote :

John will update the commit message to reference this bug.

Changed in fuel-plugin-xenserver:
status: New → In Progress
assignee: nobody → John Hua (john-hua)
importance: Undecided → High
Bob Ball (bob-ball) on 2016-06-21
Changed in fuel-plugin-xenserver:
status: In Progress → Fix Committed
Bob Ball (bob-ball) on 2016-11-28
Changed in fuel-plugin-xenserver:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers