Fixed security issues in Datumaro (#1244)

* Fixed security issues reported by bandit. * Fixed voc_format extractor * Sorted requirements, added a comment, removed nosec for exec.
6 years ago · ec2fa6ee51
parent 546c9414e7
commit ec2fa6ee51
5 changed files with 12 additions and 7 deletions
--- a/datumaro/datumaro/plugins/cvat_format/extractor.py
+++ b/datumaro/datumaro/plugins/cvat_format/extractor.py
@ -5,7 +5,7 @@

 from collections import OrderedDict
 import os.path as osp
-import xml.etree as ET
+from defusedxml import ElementTree

 from datumaro.components.extractor import (SourceExtractor,
    DEFAULT_SUBSET_NAME, DatasetItem,
@ -64,7 +64,7 @@ class CvatExtractor(SourceExtractor):

    @classmethod
    def _parse(cls, path):
-        context = ET.ElementTree.iterparse(path, events=("start", "end"))
+        context = ElementTree.iterparse(path, events=("start", "end"))
        context = iter(context)

        categories, frame_size = cls._parse_meta(context)
--- a/datumaro/datumaro/plugins/openvino_launcher.py
+++ b/datumaro/datumaro/plugins/openvino_launcher.py
@ -48,9 +48,12 @@ class OpenVinoLauncher(Launcher):
    @staticmethod
    def _check_instruction_set(instruction):
        return instruction == str.strip(
+            # Let's ignore a warning from bandit about using shell=True.
+            # In this case it isn't a security issue and we use some
+            # shell features like pipes.
            subprocess.check_output(
-                'lscpu | grep -o "{}" | head -1'.format(instruction), shell=True
-            ).decode('utf-8')
+                'lscpu | grep -o "{}" | head -1'.format(instruction),
+                shell=True).decode('utf-8') # nosec
        )

    @staticmethod
--- a/datumaro/datumaro/plugins/voc_format/extractor.py
+++ b/datumaro/datumaro/plugins/voc_format/extractor.py
@ -7,7 +7,7 @@ from collections import defaultdict
 import logging as log
 import numpy as np
 import os.path as osp
-from xml.etree import ElementTree as ET
+from defusedxml import ElementTree

 from datumaro.components.extractor import (SourceExtractor,
    DEFAULT_SUBSET_NAME, DatasetItem,
@ -121,7 +121,7 @@ class _VocXmlExtractor(_VocExtractor):
            anns = []
            ann_file = osp.join(anno_dir, item_id + '.xml')
            if osp.isfile(ann_file):
-                root_elem = ET.parse(ann_file)
+                root_elem = ElementTree.parse(ann_file)
                height = root_elem.find('size/height')
                if height is not None:
                    height = int(height.text)
--- a/datumaro/requirements.txt
+++ b/datumaro/requirements.txt
@ -1,4 +1,5 @@
 Cython>=0.27.3 # include before pycocotools
+defusedxml>=0.6.0
 GitPython>=3.0.8
 lxml>=4.4.1
 matplotlib<3.1 # 3.1+ requires python3.6, but we have 3.5 in cvat
--- a/datumaro/setup.py
+++ b/datumaro/setup.py
@ -48,14 +48,15 @@ setuptools.setup(
    ],
    python_requires='>=3.5',
    install_requires=[
+        'defusedxml',
        'GitPython',
        'lxml',
        'matplotlib',
        'numpy',
        'opencv-python',
        'Pillow',
-        'PyYAML',
        'pycocotools',
+        'PyYAML',
        'scikit-image',
        'tensorboardX',
    ],