yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #33250
[Bug 1460061] [NEW] Security issues reported by bandit
Public bug reported:
Using the tox target added in this review -
https://review.openstack.org/#/c/186752/
============================================================================================
>> Use of exec detected.
- nova/cmd/manage.py::215
214 """
215 exec(compile(open(path).read(), path, 'exec'), locals(), globals())
216
>> Use of insecure MD5 hash function.
- nova/utils.py::1131
1130 """returns string that represents hash of base_str (in hex format)."""
1131 return hashlib.md5(base_str).hexdigest()
1132
>> Pickle library appears to be in use, possible security issue.
- nova/virt/xenapi/client/session.py::213
212 rv = self.call_plugin(plugin, fn, params)
213 return pickle.loads(rv)
214
>> Use of possibly insecure function - consider using safer ast.literal_eval.
- nova/virt/xenapi/client/session.py::291
290 # FIXME(comstud): eval is evil.
291 params = eval(exc.details[3])
292 except Exception:
>> Pickle library appears to be in use, possible security issue.
- nova/virt/xenapi/fake.py::661
660 def _plugin_migration_transfer_vhd(self, method, args):
661 kwargs = pickle.loads(args['params'])['kwargs']
662 vdi_ref = self.xenapi_request('VDI.get_by_uuid',
>> Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
- nova/virt/xenapi/vm_utils.py::1961
1960 try:
1961 xml = urllib.urlopen("%s://%s:%s@%s/vm_rrd?uuid=%s" % (
1962 server[0],
1963 CONF.xenserver.connection_username,
1964 CONF.xenserver.connection_password,
============================================================================================
** Affects: nova
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1460061
Title:
Security issues reported by bandit
Status in OpenStack Compute (Nova):
New
Bug description:
Using the tox target added in this review -
https://review.openstack.org/#/c/186752/
============================================================================================
>> Use of exec detected.
- nova/cmd/manage.py::215
214 """
215 exec(compile(open(path).read(), path, 'exec'), locals(), globals())
216
>> Use of insecure MD5 hash function.
- nova/utils.py::1131
1130 """returns string that represents hash of base_str (in hex format)."""
1131 return hashlib.md5(base_str).hexdigest()
1132
>> Pickle library appears to be in use, possible security issue.
- nova/virt/xenapi/client/session.py::213
212 rv = self.call_plugin(plugin, fn, params)
213 return pickle.loads(rv)
214
>> Use of possibly insecure function - consider using safer ast.literal_eval.
- nova/virt/xenapi/client/session.py::291
290 # FIXME(comstud): eval is evil.
291 params = eval(exc.details[3])
292 except Exception:
>> Pickle library appears to be in use, possible security issue.
- nova/virt/xenapi/fake.py::661
660 def _plugin_migration_transfer_vhd(self, method, args):
661 kwargs = pickle.loads(args['params'])['kwargs']
662 vdi_ref = self.xenapi_request('VDI.get_by_uuid',
>> Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
- nova/virt/xenapi/vm_utils.py::1961
1960 try:
1961 xml = urllib.urlopen("%s://%s:%s@%s/vm_rrd?uuid=%s" % (
1962 server[0],
1963 CONF.xenserver.connection_username,
1964 CONF.xenserver.connection_password,
============================================================================================
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1460061/+subscriptions
Follow ups
References
