From 2a0ad8796cae61fdbb5535b56e8fc8f3c3fc5391 Mon Sep 17 00:00:00 2001 From: Ben Busby Date: Tue, 1 Mar 2022 12:54:32 -0700 Subject: [PATCH] Switch to defusedxml for xml parsing xml.etree.ElementTree.fromstring is considered insecure, see: https://docs.python.org/3/library/xml.etree.elementtree.html The defusedxml package contains several Python-only workarounds and fixes for denial of service and other vulnerabilities in Python's XML libraries: https://github.com/tiran/defusedxml Fixes #670 --- app/request.py | 2 +- requirements.txt | 1 + setup.cfg | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/app/request.py b/app/request.py index 17ac034..d222c45 100644 --- a/app/request.py +++ b/app/request.py @@ -1,6 +1,6 @@ from app.models.config import Config from datetime import datetime -import xml.etree.ElementTree as ET +from defusedxml import ElementTree as ET import random import requests from requests import Response, ConnectionError diff --git a/requirements.txt b/requirements.txt index 05a3872..d6fc75f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,6 +6,7 @@ cffi==1.15.0 chardet==3.0.4 click==8.0.3 cryptography==3.3.2 +defusedxml==0.7.1 Flask==1.1.1 Flask-Session==0.4.0 idna==2.9 diff --git a/setup.cfg b/setup.cfg index 7edf18a..1d3c2f3 100644 --- a/setup.cfg +++ b/setup.cfg @@ -19,6 +19,7 @@ include_package_data = True install_requires= beautifulsoup4 cryptography + defusedxml Flask Flask-Session python-dotenv