Switch to defusedxml for xml parsing

xml.etree.ElementTree.fromstring is considered insecure, see:
https://docs.python.org/3/library/xml.etree.elementtree.html

The defusedxml package contains several Python-only workarounds and
fixes for denial of service and other vulnerabilities in Python's XML
libraries: https://github.com/tiran/defusedxml

Fixes #670
main
Ben Busby 2022-03-01 12:54:32 -07:00
parent f7e3650728
commit 2a0ad8796c
No known key found for this signature in database
GPG Key ID: B9B7231E01D924A1
3 changed files with 3 additions and 1 deletions

View File

@ -1,6 +1,6 @@
from app.models.config import Config from app.models.config import Config
from datetime import datetime from datetime import datetime
import xml.etree.ElementTree as ET from defusedxml import ElementTree as ET
import random import random
import requests import requests
from requests import Response, ConnectionError from requests import Response, ConnectionError

View File

@ -6,6 +6,7 @@ cffi==1.15.0
chardet==3.0.4 chardet==3.0.4
click==8.0.3 click==8.0.3
cryptography==3.3.2 cryptography==3.3.2
defusedxml==0.7.1
Flask==1.1.1 Flask==1.1.1
Flask-Session==0.4.0 Flask-Session==0.4.0
idna==2.9 idna==2.9

View File

@ -19,6 +19,7 @@ include_package_data = True
install_requires= install_requires=
beautifulsoup4 beautifulsoup4
cryptography cryptography
defusedxml
Flask Flask
Flask-Session Flask-Session
python-dotenv python-dotenv