OpenStack Shared File Systems Service (Manila)

using eval() in dellemc in xmlparser

Bug #2065727 reported by Ashley Rodriguez
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Shared File Systems Service (Manila)
Triaged
Undecided
Unassigned

Bug Description

eval() function raises an error with bandit.
To improve security, replace https://github.com/openstack/manila/blob/1cd1c4369ffc834a236ec228ed0b479f15ce155c/manila/share/drivers/dell_emc/common/enas/xml_api_parser.py#L64 with func as follows:

func = getattr(self, self._get_func(action, self.tag))
if func in vars(XMLAPIParser):
  if action == 'start':
    func(elem, result)
  elif action == 'end':
    func()

powermax and vnx tests fail with this change due to:

File "/home/zuul/src/opendev.org/openstack/manila/manila/share/drivers/dell_emc/common/enas/xml_api_parser.py", line 64, in parse
    func = getattr(self, self._get_func(action, self.tag))
AttributeError: 'XMLAPIParser' object has no attribute 'start_response_packet'

There is likely an issue with the mocks here: https://github.com/openstack/manila/blob/1cd1c4369ffc834a236ec228ed0b479f15ce155c/manila/tests/share/drivers/dell_emc/plugins/vnx/test_connection.py#L55

The tests attempt to follow the request logic here: https://github.com/openstack/manila/blob/1cd1c4369ffc834a236ec228ed0b479f15ce155c/manila/share/drivers/dell_emc/plugins/vnx/object_manager.py#L147 , instead of accepting the mocked values.

Tags: dell-emc
Vida Haririan (vhariria)
tags: added: dell-emc
Changed in manila:
status: New → Triaged
Revision history for this message
Vida Haririan (vhariria) wrote :

See additional triage information at https://meetings.opendev.org/meetings/manila/2024/manila.2024-05-16-15.01.log.html

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to manila (master)

Reviewed: https://review.opendev.org/c/openstack/manila/+/915306
Committed: https://opendev.org/openstack/manila/commit/d9dd70c4f41101f5b1228ca7d9c3750ab5e2bb8a
Submitter: "Zuul (22348)"
Branch: master

commit d9dd70c4f41101f5b1228ca7d9c3750ab5e2bb8a
Author: Ubuntu <email address hidden>
Date: Tue Apr 9 04:03:37 2024 +0000

    Applies nosec in Dell EMC eNAS

    Bandit raises a flag at evals, suggests using
    literal_eval which does not work here.

    Instead of using eval to parse the attributes,
    should use getattr method instead.
    When using getattr, unit tests fail
    because of problems with mocking requests.
    Applying nosec and reported a bug.

    Related-Bug: 2065727
    Change-Id: Ib5404d9e165be5879f5351c3f0952648ae702b2d

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.