Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use defusedxml lib #2979

Closed
nicolargo opened this issue Oct 19, 2024 · 1 comment
Closed

Use defusedxml lib #2979

nicolargo opened this issue Oct 19, 2024 · 1 comment
Labels
cyber
Milestone
Glances 4.2.0

Comments

@nicolargo
Copy link
Owner

SemGrep alert:

    glances/globals.py
   ❯❯❱ python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc
          Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc
          instead.                                                                                         
          Details: https://sg.run/weqY                                                                     
                                                                                                           
           35┆ from xmlrpc.client import Fault, ProtocolError, Server, ServerProxy, Transport
            ⋮┆----------------------------------------
           36┆ from xmlrpc.server import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer

Use:

➜ ./venv/bin/python
Python 3.12.3 (main, Sep 11 2024, 14:17:37) [GCC 13.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import defusedxml.xmlrpc
>>> from xmlrpc.client import Fault, ProtocolError, Server, ServerProxy, Transport
>>> from defusedxml.xmlrpc.client import Fault, ProtocolError, Server, ServerProxy, Transport
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'defusedxml.xmlrpc.client'; 'defusedxml.xmlrpc' is not a package
>>> from xmlrpc.client import Fault, ProtocolError, Server, ServerProxy, Transport
>>> from defusedxml.xmlrpc
  File "<stdin>", line 1
    from defusedxml.xmlrpc
                          ^
SyntaxError: invalid syntax
>>> import defusedxml.xmlrpc
>>> dir(defusedxml.xmlrpc)
['DTDForbidden', 'DefusedExpatParser', 'DefusedGzipDecodedResponse', 'EntitiesForbidden', 'ExpatParser', 'ExternalReferenceForbidden', 'MAX_DATA', 'PY3', '_OrigGzipDecodedResponse', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__origin__', '__package__', '__spec__', '_orig_gzip_decode', 'absolute_import', 'defused_gzip_decode', 'gzip', 'io', 'monkey_patch', 'print_function', 'unmonkey_patch', 'xmlrpc_client', 'xmlrpc_server']
>>> from defusedxml.xmlrpc import xmlrpc_client as defusedxmlrpc_client
>>> dir(defusedxmlrpc_client)
['APPLICATION_ERROR', 'Binary', 'Boolean', 'BytesIO', 'DateTime', 'Decimal', 'Error', 'ExpatParser', 'FastMarshaller', 'FastParser', 'FastUnmarshaller', 'Fault', 'GzipDecodedResponse', 'INTERNAL_ERROR', 'INVALID_ENCODING_CHAR', 'INVALID_METHOD_PARAMS', 'INVALID_XMLRPC', 'MAXINT', 'METHOD_NOT_FOUND', 'MININT', 'Marshaller', 'MultiCall', 'MultiCallIterator', 'NOT_WELLFORMED_ERROR', 'PARSE_ERROR', 'ProtocolError', 'ResponseError', 'SERVER_ERROR', 'SYSTEM_ERROR', 'SafeTransport', 'Server', 'ServerProxy', 'TRANSPORT_ERROR', 'Transport', 'UNSUPPORTED_ENCODING', 'Unmarshaller', 'WRAPPERS', '_Method', '_MultiCallMethod', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__spec__', '__version__', '_binary', '_datetime', '_datetime_type', '_iso8601_format', '_strftime', 'base64', 'boolean', 'datetime', 'dumps', 'errno', 'escape', 'expat', 'getparser', 'gzip', 'gzip_decode', 'gzip_encode', 'http', 'loads', 'sys', 'time', 'urllib']
>>> defusedxmlrpc_client.S
defusedxmlrpc_client.SERVER_ERROR    defusedxmlrpc_client.SYSTEM_ERROR    defusedxmlrpc_client.SafeTransport(  defusedxmlrpc_client.Server(         defusedxmlrpc_client.ServerProxy(
>>> defusedxmlrpc_client.S
defusedxmlrpc_client.SERVER_ERROR    defusedxmlrpc_client.SYSTEM_ERROR    defusedxmlrpc_client.SafeTransport(  defusedxmlrpc_client.Server(         defusedxmlrpc_client.ServerProxy(
>>> defusedxmlrpc_client.T
defusedxmlrpc_client.TRANSPORT_ERROR  defusedxmlrpc_client.Transport(       
>>> defusedxmlrpc_client.Transport(
@nicolargo nicolargo added this to the Glances 4.2.0 milestone Oct 19, 2024
nicolargo added a commit that referenced this issue Oct 19, 2024
@nicolargo
Use defusedxml lib #2979
315678b
@nicolargo
Copy link
Owner Author

Done on the develop branch.

Only defusedxml is used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
cyber
Projects
None yet
Milestone
Glances 4.2.0
Development

No branches or pull requests
1 participant
@nicolargo