2
0
mirror of https://github.com/xcat2/confluent.git synced 2024-11-24 18:41:55 +00:00

Markup bandit exceptions

Apply bandit exceptions and explain
the rationale in each case
This commit is contained in:
Jarrod Johnson 2022-02-16 09:10:33 -05:00
parent f10a27fd7a
commit 33be75a9a2
4 changed files with 25 additions and 6 deletions

View File

@ -546,15 +546,17 @@ def _load_dict_from_dbm(dpath, tdb):
if elem not in currdict:
currdict[elem] = {}
currdict = currdict[elem]
# Pickle is used as the first choice. It is a local self-owned file
# and thus not a significant security risk
try:
for tk in dbe.keys():
tks = confluent.util.stringify(tk)
currdict[tks] = cPickle.loads(dbe[tk])
currdict[tks] = cPickle.loads(dbe[tk]) # nosec
except AttributeError:
tk = dbe.firstkey()
while tk != None:
tks = confluent.util.stringify(tk)
currdict[tks] = cPickle.loads(dbe[tk])
currdict[tks] = cPickle.loads(dbe[tk]) # nosec
tk = dbe.nextkey(tk)
except dbm.error:
return

View File

@ -36,7 +36,9 @@ def fromstring(inputdata):
cmpstr = '!entity'
if cmpstr in inputdata.lower():
raise Exception('!ENTITY not supported in this interface')
return rfromstring(inputdata)
# The measures above should filter out the risky facets of xml
# We don't need sophisticated feature support
return rfromstring(inputdata) # nosec
def fixuuid(baduuid):
# SMM dumps it out in hex

View File

@ -212,7 +212,8 @@ def extract_entries(entries, flags=0, callback=None, totalsize=None, extractlist
write_data_block(write_p, buff, size, offset)
write_finish_entry(write_p)
if os.path.isdir(str(entry)):
os.chmod(str(entry), 0o755)
# This directory must be world accessible for web server
os.chmod(str(entry), 0o755) # nosec
else:
os.chmod(str(entry), 0o644)
if callback:

View File

@ -31,7 +31,14 @@ if 'authResult>1' in rspdata:
rspdata = rsp.read().decode('utf8')
if 'renew_account' in rspdata:
restorepwd = True
tokens = fromstring(rspdata)
if isinstance(rspdata, bytes):
if b'!entity' in rspdata.lower():
raise Exception('Unexpected material')
else:
if '!entity' in rspdata.lower():
raise Exception('Unexpected material')
# the troublesome entity tag is guarded above
tokens = fromstring(rspdata) # nosec
st2 = tokens.findall('st2')[0].text
w.set_header('ST2', st2)
w.request('POST', '/data/changepwd', 'oripwd={0}&newpwd={1}'.format(os.environ['SMMPASS'], tmppassword))
@ -41,7 +48,14 @@ if 'renew_account' in rspdata:
rsp = w.getresponse()
rspdata = rsp.read().decode('utf8')
if 'authResult>0' in rspdata:
tokens = fromstring(rspdata)
if isinstance(rspdata, bytes):
if b'!entity' in rspdata.lower():
raise Exception('Unexpected material')
else:
if '!entity' in rspdata.lower():
raise Exception('Unexpected material')
# the risky xml entity feature is filtered out above
tokens = fromstring(rspdata) # nosec
st2 = tokens.findall('st2')[0].text
w.set_header('ST2', st2)
rules = 'set=passwordDurationDays:0,passwordExpireWarningDays:0,passwordChangeInterval:0,passwordReuseCheckNum:0,passwordFailAllowdNum:0,passwordLockoutTimePeriod:0'