Created
May 10, 2016 03:35
-
-
Save codevulture/190ecc35071e69f809008227b7c733f4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Severity: Medium Confidence: Medium | |
Location: swift/common/db.py:864 | |
862 for key in keys_to_delete: | |
863 del md[key] | |
864 conn.execute('UPDATE %s_stat SET metadata = ?' % | |
865 self.db_type, (json.dumps(md),)) | |
866 return True | |
867 except sqlite3.OperationalError as err: | |
-------------------------------------------------- | |
>> Issue: [hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. | |
Severity: Medium Confidence: Medium | |
Location: swift/common/db.py:881 | |
879 with self.get() as conn: | |
880 conn.execute( | |
881 'UPDATE %s_stat SET put_timestamp = ?' | |
882 ' WHERE put_timestamp < ?' % self.db_type, | |
883 (timestamp, timestamp)) | |
884 conn.commit() | |
-------------------------------------------------- | |
>> Issue: [hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. | |
Severity: Medium Confidence: Medium | |
Location: swift/common/db.py:900 | |
898 def _update_status_changed_at(self, conn, timestamp): | |
899 conn.execute( | |
900 'UPDATE %s_stat SET status_changed_at = ?' | |
901 ' WHERE status_changed_at < ?' % self.db_type, | |
902 (timestamp, timestamp)) | |
-------------------------------------------------- | |
>> Issue: [hardcoded_bind_all_interfaces] Possible binding to all interfaces. | |
Severity: Medium Confidence: Medium | |
Location: swift/common/db_replicator.py:158 | |
156 self.root = conf.get('devices', '/srv/node') | |
157 self.mount_check = config_true_value(conf.get('mount_check', 'true')) | |
158 self.bind_ip = conf.get('bind_ip', '0.0.0.0') | |
159 self.port = int(conf.get('bind_port', self.default_port)) | |
160 concurrency = int(conf.get('concurrency', 8)) | |
-------------------------------------------------- | |
>> Issue: [hardcoded_bind_all_interfaces] Possible binding to all interfaces. | |
Severity: Medium Confidence: Medium | |
Location: swift/common/utils.py:1925 | |
1923 bind_ip, None, 0, socket.SOCK_STREAM, 0, | |
1924 socket.AI_NUMERICHOST)[0] | |
1925 if sockaddr[0] not in ('0.0.0.0', '::'): | |
1926 return [bind_ip] | |
1927 except socket.gaierror: | |
-------------------------------------------------- | |
>> Issue: [hardcoded_bind_all_interfaces] Possible binding to all interfaces. | |
Severity: Medium Confidence: Medium | |
Location: swift/common/wsgi.py:178 | |
176 except (ValueError, KeyError, TypeError): | |
177 raise ConfigFilePortError() | |
178 bind_addr = (conf.get('bind_ip', '0.0.0.0'), bind_port) | |
179 address_family = [addr[0] for addr in socket.getaddrinfo( | |
180 bind_addr[0], bind_addr[1], socket.AF_UNSPEC, socket.SOCK_STREAM) | |
-------------------------------------------------- | |
>> Issue: [hardcoded_bind_all_interfaces] Possible binding to all interfaces. | |
Severity: Medium Confidence: Medium | |
Location: swift/common/wsgi.py:707 | |
705 self.port_pid_state = PortPidState(servers_per_port, logger) | |
706 | |
707 bind_ip = conf.get('bind_ip', '0.0.0.0') | |
708 self.cache = BindPortsCache(self.swift_dir, bind_ip) | |
709 | |
-------------------------------------------------- | |
>> Issue: [hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. | |
Severity: Medium Confidence: Medium | |
Location: swift/container/backend.py:841 | |
839 records.update( | |
840 ((rec[0], rec[6]), rec) for rec in curs.execute( | |
841 'SELECT name, created_at, size, content_type,' | |
842 'etag, deleted, storage_policy_index ' | |
843 'FROM object WHERE ' + query_mod + ' name IN (%s)' % | |
844 ','.join('?' * len(chunk)), chunk)) | |
845 # Sort item_list into things that need adding and deleting, based | |
-------------------------------------------------- | |
>> Issue: [hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction. | |
Severity: Medium Confidence: Medium | |
Location: swift/container/backend.py:861 | |
859 if to_delete: | |
860 curs.executemany( | |
861 'DELETE FROM object WHERE ' + query_mod + | |
862 'name=? AND storage_policy_index=?', | |
863 ((rec['name'], rec['storage_policy_index']) | |
-------------------------------------------------- | |
>> Issue: [hardcoded_bind_all_interfaces] Possible binding to all interfaces. | |
Severity: Medium Confidence: Medium | |
Location: swift/container/sync.py:216 | |
214 self.container_ring = container_ring or Ring(self.swift_dir, | |
215 ring_name='container') | |
216 bind_ip = conf.get('bind_ip', '0.0.0.0') | |
217 self._myips = whataremyips(bind_ip) | |
218 self._myport = int(conf.get('bind_port', 6201)) | |
-------------------------------------------------- | |
>> Issue: [hardcoded_bind_all_interfaces] Possible binding to all interfaces. | |
Severity: Medium Confidence: Medium | |
Location: swift/obj/reconstructor.py:127 | |
125 self.mount_check = config_true_value(conf.get('mount_check', 'true')) | |
126 self.swift_dir = conf.get('swift_dir', '/etc/swift') | |
127 self.bind_ip = conf.get('bind_ip', '0.0.0.0') | |
128 self.servers_per_port = int(conf.get('servers_per_port', '0') or 0) | |
129 self.port = None if self.servers_per_port else \ | |
-------------------------------------------------- | |
>> Issue: [hardcoded_bind_all_interfaces] Possible binding to all interfaces. | |
Severity: Medium Confidence: Medium | |
Location: swift/obj/replicator.py:68 | |
66 self.mount_check = config_true_value(conf.get('mount_check', 'true')) | |
67 self.swift_dir = conf.get('swift_dir', '/etc/swift') | |
68 self.bind_ip = conf.get('bind_ip', '0.0.0.0') | |
69 self.servers_per_port = int(conf.get('servers_per_port', '0') or 0) | |
70 self.port = None if self.servers_per_port else \ | |
-------------------------------------------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment