Comment 1 for bug 1590761

Revision history for this message
Bob Ball (bob-ball) wrote :

17:26:06 >> Issue: [B411:blacklist] Using xmlrpclib to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.

I am not aware of a way this could be exploited. The XML is all returned (and created) by XAPI, so is not from an untrusted source. Even if a plugin were to return some XML content, this would be wrapped by XAPI. The caller of would potentially be affected, but the code in should not be exploitable.

17:26:06 >> Issue: [B404:blacklist] Consider possible security implications associated with subprocess module.
17:26:06 >> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.

We’re not invoking subprocess with any user-supplied input; I therefore can't currently see a way for this to be exploited?

17:26:06 >> Issue: [B108:hardcoded_tmp_directory] Probable insecure usage of temp file/directory.

As this is running in the deployment context, this is by definition being run by an administrator. I believe there should not be any possible access (other than by a known-trusted administrator) to the compute nodes during deployment, therefore I believe this shouldn’t be exploitable.

17:26:06 >> Issue: [B506:yaml_load] Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().

Since we are loading a yaml file either written by MOS or modified by an administrator, I think this should be considered a trusted source.

We have already started on a patch, in public, to address some of these issues:

As we are not aware of any way these issues can be exploited, I suggest we remove the private label and work on this in the open?