ruff icon indicating copy to clipboard operation
ruff copied to clipboard
verified publisher icon astral-sh

Remove rule S410

Open ofek opened this issue 1 year ago • 3 comments

See this discussion https://discuss.python.org/t/status-of-defusedxml-and-recommendation-in-docs/34762

It may be valid to recommend the defusedxml third-party package over the standard library xml module but the lxml third-party package is the de facto way to work with XML in Python and any security issues which were previously a concern have been fixed and the defusedxml project even now documents that it is safe.

ofek avatar Feb 18 '24 20:02 ofek

Would we need to augment the ruleset with new checks to ensure that lxml is being used with the appropriate defaults?

charliermarsh avatar Feb 20 '24 16:02 charliermarsh

Based on https://github.com/tiran/defusedxml#defusedxmllxml I was thinking you could check for etree.XMLParser(...) without an explicit resolve_entities=False but actually based on the documentation https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XMLParser it seems the default has been changed to be safe so I think this rule should simply be removed.

ofek avatar Feb 20 '24 18:02 ofek

Cool, I think we can remove it in v0.3.0.

charliermarsh avatar Feb 20 '24 18:02 charliermarsh

Doing this now.

charliermarsh avatar Feb 28 '24 17:02 charliermarsh