osdir.com

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Openstack-security] [Bug 1534284] Re: keystoneauth auth plugins should not use etree XML parsing


Unassigning due to inactivity

** Changed in: keystoneauth
       Status: In Progress => Triaged

** Changed in: keystoneauth
     Assignee: Pavlo Shchelokovskyy (pshchelo) => (unassigned)

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1534284

Title:
  keystoneauth auth plugins should not use etree XML parsing

Status in keystoneauth:
  Triaged
Status in OpenStack Security Advisory:
  Won't Fix
Status in python-keystoneclient:
  Won't Fix

Bug description:
  XML parsing is surprisingly difficult and fraught with danger, for
  example entity expansion makes it easy to cause a lot of memory to be
  used and therefore crash your system. keystoneclient is using etree
  parsing which has these potential issues, although in the case of
  keystoneclient it's the response from the IdP which I think is
  generally trusted.

  This is in python-
  keystoneclient/keystoneclient/contrib/auth/v3/saml2.py

  There's a defusedxml parser that has protections against these attacks
  and should therefore be used instead if possible -
  https://pypi.python.org/pypi/defusedxml - the docs for this page also
  include some examples of other possible attacks.

  This was caught by bandit 0.17.0.

  I'm going to start this out as private security so we can think about
  it some more before it goes public, even though it's probably not
  something that needs an issue since I think the source is generally
  trusted. If you can't trust your IdP then who can you trust?

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystoneauth/+bug/1534284/+subscriptions