Switch to defusedxml for xml parsing

xml.etree.ElementTree.fromstring is considered insecure, see:
https://docs.python.org/3/library/xml.etree.elementtree.html

The defusedxml package contains several Python-only workarounds and
fixes for denial of service and other vulnerabilities in Python's XML
libraries: https://github.com/tiran/defusedxml

Fixes #670
main
Ben Busby 2022-03-01 12:54:32 -07:00
parent f7e3650728
commit 2a0ad8796c
No known key found for this signature in database
GPG Key ID: B9B7231E01D924A1
3 changed files with 3 additions and 1 deletions

View File

@ -1,6 +1,6 @@
from app.models.config import Config
from datetime import datetime
import xml.etree.ElementTree as ET
from defusedxml import ElementTree as ET
import random
import requests
from requests import Response, ConnectionError

View File

@ -6,6 +6,7 @@ cffi==1.15.0
chardet==3.0.4
click==8.0.3
cryptography==3.3.2
defusedxml==0.7.1
Flask==1.1.1
Flask-Session==0.4.0
idna==2.9

View File

@ -19,6 +19,7 @@ include_package_data = True
install_requires=
beautifulsoup4
cryptography
defusedxml
Flask
Flask-Session
python-dotenv