mirror of
https://github.com/xcat2/confluent.git
synced 2024-11-24 18:41:55 +00:00
Markup bandit exceptions
Apply bandit exceptions and explain the rationale in each case
This commit is contained in:
parent
f10a27fd7a
commit
33be75a9a2
@ -546,15 +546,17 @@ def _load_dict_from_dbm(dpath, tdb):
|
||||
if elem not in currdict:
|
||||
currdict[elem] = {}
|
||||
currdict = currdict[elem]
|
||||
# Pickle is used as the first choice. It is a local self-owned file
|
||||
# and thus not a significant security risk
|
||||
try:
|
||||
for tk in dbe.keys():
|
||||
tks = confluent.util.stringify(tk)
|
||||
currdict[tks] = cPickle.loads(dbe[tk])
|
||||
currdict[tks] = cPickle.loads(dbe[tk]) # nosec
|
||||
except AttributeError:
|
||||
tk = dbe.firstkey()
|
||||
while tk != None:
|
||||
tks = confluent.util.stringify(tk)
|
||||
currdict[tks] = cPickle.loads(dbe[tk])
|
||||
currdict[tks] = cPickle.loads(dbe[tk]) # nosec
|
||||
tk = dbe.nextkey(tk)
|
||||
except dbm.error:
|
||||
return
|
||||
|
@ -36,7 +36,9 @@ def fromstring(inputdata):
|
||||
cmpstr = '!entity'
|
||||
if cmpstr in inputdata.lower():
|
||||
raise Exception('!ENTITY not supported in this interface')
|
||||
return rfromstring(inputdata)
|
||||
# The measures above should filter out the risky facets of xml
|
||||
# We don't need sophisticated feature support
|
||||
return rfromstring(inputdata) # nosec
|
||||
|
||||
def fixuuid(baduuid):
|
||||
# SMM dumps it out in hex
|
||||
|
@ -212,7 +212,8 @@ def extract_entries(entries, flags=0, callback=None, totalsize=None, extractlist
|
||||
write_data_block(write_p, buff, size, offset)
|
||||
write_finish_entry(write_p)
|
||||
if os.path.isdir(str(entry)):
|
||||
os.chmod(str(entry), 0o755)
|
||||
# This directory must be world accessible for web server
|
||||
os.chmod(str(entry), 0o755) # nosec
|
||||
else:
|
||||
os.chmod(str(entry), 0o644)
|
||||
if callback:
|
||||
|
@ -31,7 +31,14 @@ if 'authResult>1' in rspdata:
|
||||
rspdata = rsp.read().decode('utf8')
|
||||
if 'renew_account' in rspdata:
|
||||
restorepwd = True
|
||||
tokens = fromstring(rspdata)
|
||||
if isinstance(rspdata, bytes):
|
||||
if b'!entity' in rspdata.lower():
|
||||
raise Exception('Unexpected material')
|
||||
else:
|
||||
if '!entity' in rspdata.lower():
|
||||
raise Exception('Unexpected material')
|
||||
# the troublesome entity tag is guarded above
|
||||
tokens = fromstring(rspdata) # nosec
|
||||
st2 = tokens.findall('st2')[0].text
|
||||
w.set_header('ST2', st2)
|
||||
w.request('POST', '/data/changepwd', 'oripwd={0}&newpwd={1}'.format(os.environ['SMMPASS'], tmppassword))
|
||||
@ -41,7 +48,14 @@ if 'renew_account' in rspdata:
|
||||
rsp = w.getresponse()
|
||||
rspdata = rsp.read().decode('utf8')
|
||||
if 'authResult>0' in rspdata:
|
||||
tokens = fromstring(rspdata)
|
||||
if isinstance(rspdata, bytes):
|
||||
if b'!entity' in rspdata.lower():
|
||||
raise Exception('Unexpected material')
|
||||
else:
|
||||
if '!entity' in rspdata.lower():
|
||||
raise Exception('Unexpected material')
|
||||
# the risky xml entity feature is filtered out above
|
||||
tokens = fromstring(rspdata) # nosec
|
||||
st2 = tokens.findall('st2')[0].text
|
||||
w.set_header('ST2', st2)
|
||||
rules = 'set=passwordDurationDays:0,passwordExpireWarningDays:0,passwordChangeInterval:0,passwordReuseCheckNum:0,passwordFailAllowdNum:0,passwordLockoutTimePeriod:0'
|
||||
|
Loading…
Reference in New Issue
Block a user