bandit icon indicating copy to clipboard operation
bandit copied to clipboard

Published 20 hours ago verified publisher icon PyCQA

B405 complains about any xml.etree.ElementTree import, not just parse-related ones

Open vanschelven opened this issue 4 years ago • 2 comments

B405 complains about any xml.etree.ElementTree import, not just parse-related ones

Importing like so

from defusedxml.ElementTree import Element

gives a bandit error (B405).

This error talks about parsing (which is indeed unsafe); but the imported thing is not related to parsing. At the same time, the suggested remedy (defusedxml) exclusively provides alternatives for parsing-related functions, in particular for parse, iterparse, fromstring, and XMLParser. In other words, the suggested solution of doing the following fails:

# Will fail!
from defusedxml.ElementTree import Element

vanschelven avatar Apr 15 '21 11:04 vanschelven

Just to add to this. It's important if you are using type hints

from defusedxml.ElementTree import fromstring
from xml.etree.ElementTree import Element

root: Element = fromstring("<foo/>")

seanmceligot avatar Apr 20 '21 14:04 seanmceligot

Still an issue. Simple fix is to just ignore the type-hinting elements.

AddisonG avatar Jun 19 '24 03:06 AddisonG