Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security audit - B411 #1025

Closed
nicolargo opened this issue Feb 6, 2017 · 1 comment
Closed

Security audit - B411 #1025

nicolargo opened this issue Feb 6, 2017 · 1 comment
Labels
enhancement
Milestone
Glances 3.2.1

Comments

@nicolargo
Copy link
Owner

nicolargo commented Feb 6, 2017
edited
Loading

Description

bandit -r glances/

Issue: [B411:blacklist] Using Fault to parse untrusted XML data is known to be vulnerable to XML attacks. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate XML vulnerabilities.
Severity: High Confidence: High
Location: glances/compat.py:91
90 from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer
91 from xmlrpclib import Fault, ProtocolError, ServerProxy, Transport
92 from urllib2 import urlopen, URLError

Versions

  • Glances (glances -V): 2.8.1
@nicolargo nicolargo added this to the Glances 2.9 milestone Feb 6, 2017
@nicolargo nicolargo changed the title Security audit Security audit - B411 Feb 6, 2017
@nicolargo nicolargo modified the milestone: Glances 2.9 Mar 10, 2017
@nicolargo
Copy link
Owner Author

First idea, do not use the shell=True option. split the command line

In [1]: from subprocess import Popen
In [6]: cmd = 'cat README.rst | grep glances | wc -l > /tmp/titi.txt'

In [7]: Popen(cmd, shell=True)
Out[7]: <subprocess.Popen at 0x7f8b46c8c310>

In [13]: cmd_pipe = [c.split('>')[0] for c in cmd.split('|')]

In [14]: cmd_pipe
Out[14]: ['cat README.rst ', ' grep glances ', ' wc -l ']

In [15]: cmd_redir = cmd.split('>')[1]

In [16]: cmd_redir
Out[16]: ' /tmp/titi.txt'

and uses stdout for redirection:

with open('temp.txt', 'w') as output:
    server = subprocess.Popen('./server.py', stdout=output)
    server.communicate()

and this for pipe:

output=`dmesg | grep hda`
p1 = Popen(["dmesg"], stdout=PIPE)
p2 = Popen(["grep", "hda"], stdin=p1.stdout, stdout=PIPE)
p1.stdout.close()  # Allow p1 to receive a SIGPIPE if p2 exits.
output = p2.communicate()[0]

@nicolargo nicolargo modified the milestones: Glances 2.9, Glances 2.9.1, Glances 2.9.2 Mar 27, 2017
@nicolargo nicolargo modified the milestones: Glances 2.9.2, Next releases, Glances 2.11 May 26, 2017
@nicolargo nicolargo modified the milestones: Glances 2.11, Glances 3.0 Aug 27, 2017
@nicolargo nicolargo modified the milestones: Glances 3.0, Next releases Sep 1, 2018
@nicolargo nicolargo added this to the Glances 3.1 milestone Sep 1, 2018
@nicolargo nicolargo modified the milestones: Glances 3.1.5, 3.1.6 Aug 19, 2020
nicolargo added a commit that referenced this issue Apr 24, 2021
@nicolargo
Security audit - B411 #1025
85d5a6b
@nicolargo nicolargo modified the milestones: Glances 3.1.7, Glances 3.2.1 Jul 9, 2021
nicolargo added a commit that referenced this issue Jul 9, 2021
@nicolargo
Security audit - B411 #1025
9d6051b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
Glances 3.2.1
Development

No branches or pull requests
1 participant
@nicolargo