lib-cl-sii-python icon indicating copy to clipboard operation
lib-cl-sii-python copied to clipboard

Published 20 hours ago verified publisher icon cordada

Module `defusedxml.lxml` is not fully protected and is deprecated

Open glarrain opened this issue 5 years ago • 4 comments

We rely on function defusedxml.lxml.fromstring() for our function libs.xml_utils.parse_untrusted_xml(). What should we use instead?

DEPRECATED Example code for lxml.etree protection The code has NO protection against decompression bombs.

Source

defusedxml.lxml DEPRECATED The module is deprecated and will be removed in a future release.

Source

CC @jtrh

Alternatives

Perhaps there are others?

  • defusedxml.ElementTree.fromstring
  • defusedxml.cElementTree.fromstring

glarrain avatar May 04 '19 01:05 glarrain

The owner of the defusedxml repository is thinking of ways to solve this issue (the deprecation part, at least): https://github.com/tiran/defusedxml/issues/38#issuecomment-488647815.

Is the function defusedxml.lxml.fromstring() they only part of defusedxml.lxml that we use?

jtrh avatar May 06 '19 14:05 jtrh

Is the function defusedxml.lxml.fromstring() they only part of defusedxml.lxml that we use?

Yes. However, since that uses lxml, the XML-related classes that we reference all over the place in that project and others are aliases to lxml classes:

https://github.com/fyndata/lib-cl-sii-python/blob/cde9fe6e09a4e97bee55134c7419eb62fecd5111/cl_sii/libs/xml_utils.py#L31-L34

glarrain avatar May 06 '19 14:05 glarrain

SignXML removed the DefusedXML dependency by incorporating its useful parts. See https://github.com/XML-Security/signxml/commit/83c05fbfdc9efbea0ddc13cd490b423bb772ef5d.

jtrh avatar Jul 21 '20 00:07 jtrh

Useful stuff:

  • https://github.com/XML-Security/signxml/blob/master/signxml/util/init.py
  • https://github.com/XML-Security/signxml/blob/83c05fbfdc9efbea0ddc13cd490b423bb772ef5d/signxml/init.py#L185-L245

glarrain avatar Jul 23 '20 14:07 glarrain