Implement secure deserialize function
Bug #1459717 reported by
Adrian Otto
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Magnum |
Fix Released
|
Critical
|
Steven Dake |
Bug Description
The deserialize function that swagger uses includes the usage of eval. It is posible to completely destroy a system using eval,
so eval usage is not recommended. Our bandit non-voting gate will reject eval usage. stackoverflow recommends using
ast.literal_eval, but we must create python objects in some casess, with ast.literal_eval will not do. Instead write a new
implementation of deserialize which is secure.
Changed in magnum: | |
status: | Confirmed → In Progress |
Changed in magnum: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
The python k8s library is busted without fixing this - changing importance to high.