You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
With the test created in the issue wazuh/wazuh-qa#1615, some possible code flaws were found by Bandit.
In this issue we specify flaws regarding the use of insecure XML calls.
Issue 1:
Using tostring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace tostring with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
As Bandit indicates, in both cases it is convenient to use defusedxml because it does not reduce functionality and increases security.
These flaws can be avoided with the use of defusedxml (we have already used it in other situations, so we have the dep in the requirements.txt).
This issue aims to delete this vulnerabilities by using the defusedxml dep.
Description
With the test created in the issue wazuh/wazuh-qa#1615, some possible code flaws were found by Bandit.
In this issue we specify flaws regarding the use of insecure XML calls.
Issue 1:
Using tostring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace tostring with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
framework/wazuh/core/configuration.py line 15
wazuh/framework/wazuh/core/configuration.py
Line 15 in 7d423ab
Issue 2:
Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
framework/wazuh/core/utils.py line 25
wazuh/framework/wazuh/core/utils.py
Line 25 in 7d423ab
As Bandit indicates, in both cases it is convenient to use defusedxml because it does not reduce functionality and increases security.
These flaws can be avoided with the use of defusedxml (we have already used it in other situations, so we have the dep in the requirements.txt).
This issue aims to delete this vulnerabilities by using the
defusedxml
dep.More info.: https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b405-import-xml-etree
Once changes are done, pass the test to check that these flaws were deleted from the known flaws JSON file of framework.
Checks
wazuh/wazuh
framework/wazuh/core/cluster/tests/
&framework/wazuh/core/cluster/dapi/tests/
)framework/wazuh/core/tests/
)framework/wazuh/tests/
)framework/wazuh/rbac/tests/
)api/api/tests/
)api/test/integration/
):api/test/integration/mapping/integration_test_api_endpoints.json
)api/api/spec/spec.yaml
)framework/wazuh/core/exception.py
)CHANGELOG.md
)wazuh/wazuh-documentation
source/user-manual/api/equivalence.rst
)source/user-manual/api/rbac/reference.rst
)The text was updated successfully, but these errors were encountered: