Skip to content

Commit

Permalink
document xml solution
Browse files Browse the repository at this point in the history
  • Loading branch information
fmigneault committed Sep 17, 2021
1 parent f9b48f6 commit 4ff4a39
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 4 deletions.
2 changes: 1 addition & 1 deletion weaver/datatype.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
from owslib.wps import Process as ProcessOWS, WPSException
from pywps import Process as ProcessWPS

from weaver import xml_util
from weaver.exceptions import ProcessInstanceError
from weaver.execute import (
EXECUTE_CONTROL_OPTION_ASYNC,
Expand All @@ -43,7 +44,6 @@
STATUS_UNKNOWN,
map_status
)
from weaver import xml_util
from weaver.utils import localize_datetime # for backward compatibility of previously saved jobs not time-locale-aware
from weaver.utils import (
fully_qualified_name,
Expand Down
25 changes: 22 additions & 3 deletions weaver/xml_util.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,23 @@
from lxml import etree
"""
Define a default XML parser that avoids XXE injection.
Package :mod:`lxml` is employed directly even though some linters (e.g.: ``bandit``) report to employ ``defusedxml``
instead, because that package's extension with ``lxml`` is marked as deprecated.
.. seealso::
https://pypi.org/project/defusedxml/#defusedxml-lxml
To use the module, import is as if importing ``lxml.etree``:
.. code-block:: python
from weaver.xml_util import XML # ElementTree
from weaver import xml_util
data = xml_util.fromstring("<xml>content</xml>")
"""

from lxml import etree # nosec: B410 # flagged issue is known, this is what the applied fix below is about

# security fix: XML external entity (XXE) injection
# https://lxml.de/parsing.html#parser-options
Expand All @@ -17,8 +36,8 @@


def fromstring(text):
return etree.fromstring(text, parser=XML_PARSER)
return etree.fromstring(text, parser=XML_PARSER) # nosec: B410


def parse(source):
return etree.parse(source, parser=XML_PARSER)
return etree.parse(source, parser=XML_PARSER) # nosec: B410

0 comments on commit 4ff4a39

Please sign in to comment.