yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1460061] Re: Security issues reported by bandit

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: "Davanum Srinivas \(DIMS\)" <davanum@xxxxxxxxx>
Date: Sun, 05 Jul 2015 00:36:53 -0000
Reply-to: Bug 1460061 <1460061@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1460061

Title:
  Security issues reported by bandit

Status in OpenStack Compute (Nova):
  Invalid

Bug description:
  Using the tox target added in this review -
  https://review.openstack.org/#/c/186752/

  ============================================================================================
  >> Use of exec detected.
   - nova/cmd/manage.py::215
  214	        """
  215	        exec(compile(open(path).read(), path, 'exec'), locals(), globals())
  216

  >> Use of insecure MD5 hash function.
   - nova/utils.py::1131
  1130	    """returns string that represents hash of base_str (in hex format)."""
  1131	    return hashlib.md5(base_str).hexdigest()
  1132

  >> Pickle library appears to be in use, possible security issue.
   - nova/virt/xenapi/client/session.py::213
  212	        rv = self.call_plugin(plugin, fn, params)
  213	        return pickle.loads(rv)
  214

  >> Use of possibly insecure function - consider using safer ast.literal_eval.
   - nova/virt/xenapi/client/session.py::291
  290	                    # FIXME(comstud): eval is evil.
  291	                    params = eval(exc.details[3])
  292	                except Exception:

  >> Pickle library appears to be in use, possible security issue.
   - nova/virt/xenapi/fake.py::661
  660	    def _plugin_migration_transfer_vhd(self, method, args):
  661	        kwargs = pickle.loads(args['params'])['kwargs']
  662	        vdi_ref = self.xenapi_request('VDI.get_by_uuid',

  >> Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
   - nova/virt/xenapi/vm_utils.py::1961
  1960	    try:
  1961	        xml = urllib.urlopen("%s://%s:%s@%s/vm_rrd?uuid=%s" % (
  1962	            server[0],
  1963	            CONF.xenserver.connection_username,
  1964	            CONF.xenserver.connection_password,
  ============================================================================================

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1460061/+subscriptions

References

[Bug 1460061] [NEW] Security issues reported by bandit
From: Davanum Srinivas (DIMS), 2015-05-29