github/acrn-hypervisor
1
0
Fork 0
mirror of https://github.com/projectacrn/acrn-hypervisor.git synced 2025-11-03 02:51:09 +00:00
Code Issues Projects Releases Wiki Activity
Files
master
acrn-hypervisor/misc/config_tools/configurator/pyodide/populateDefaultValues.py
dongpingx 6f96614e6f misc: Bandit scan issue for lxml 
This patch is to fix Bandit scan issue b313-b320 which is vulnerable to
XML attacks when parsing untrusted XML data.

I replace lxml.etree with the equivalent defusedxml package.

I confirm it works after making a Bandit scan, building the configurator
and compiling the acrn.

Signed-off-by: dongpingx <dongpingx.wu@intel.com>
Tracked-On: #8717
2025-08-20 10:20:20 +08:00

68 lines
1.9 KiB
Python
Raw Permalink Blame History

#!/usr/bin/env python3
#
# Copyright (C) 2022 Intel Corporation.
#
# SPDX-License-Identifier: BSD-3-Clause
#
__package__ = 'configurator.pyodide'
from pathlib import Path
from tempfile import TemporaryDirectory
from defusedxml.ElementTree import tostring
from scenario_config.pipeline import PipelineObject, PipelineEngine
from scenario_config.xml_loader import XMLLoadStage
from scenario_config.default_populator import DefaultValuePopulatingStage
from .pyodide import write_temp_file, nuc11_scenario, scenario_xml_schema_path, convert_result
from .loadScenario import load_scenario_xml
def main(scenario):
pipeline = PipelineEngine(["schema_path", "scenario_path"])
pipeline.add_stages([
XMLLoadStage("schema"),
XMLLoadStage("scenario"),
DefaultValuePopulatingStage(),
])
with TemporaryDirectory() as tmpdir:
write_temp_file(tmpdir, {
'scenario.xml': scenario
})
scenario_file_path = Path(tmpdir) / 'scenario.xml'
obj = PipelineObject(
scenario_path=scenario_file_path,
schema_path=scenario_xml_schema_path,
)
pipeline.run(obj)
# Clean up the VM_NAME and/or vm_name which does not exist
etree = obj.get("scenario_etree").getroot()
vmNames = [name.text for name in etree.findall(".//vm/name")]
for name in etree.findall(".//IVSHMEM_VM/VM_NAME") + \
etree.findall(".//vuart_connection/endpoint/vm_name"):
if name.text not in vmNames:
name.text = ""
own_pcpus = etree.findall(".//vm[vm_type = 'RTVM']/own_pcpu")
for o in own_pcpus:
o.text = 'y'
result = tostring(obj.get("scenario_etree").getroot())
result = result.decode()
result = convert_result({
'xml': result,
'json': load_scenario_xml(result)
})
return result
def test():
main(nuc11_scenario)
if __name__ == '__main__':
test()
Reference in New Issue View Git Blame Copy Permalink