Switch to defusedxml for xml parsing

xml.etree.ElementTree.fromstring is considered insecure, see: https://docs.python.org/3/library/xml.etree.elementtree.html The defusedxml package contains several Python-only workarounds and fixes for denial of service and other vulnerabilities in Python's XML libraries: https://github.com/tiran/defusedxml Fixes #670
2 years ago · 2a0ad8796c
parent f7e3650728
commit 2a0ad8796c
3 changed files with 3 additions and 1 deletions
--- a/app/request.py
+++ b/app/request.py
@ -1,6 +1,6 @@
 from app.models.config import Config
 from datetime import datetime
-import xml.etree.ElementTree as ET
+from defusedxml import ElementTree as ET
 import random
 import requests
 from requests import Response, ConnectionError
--- a/requirements.txt
+++ b/requirements.txt
@ -6,6 +6,7 @@ cffi==1.15.0
 chardet==3.0.4
 click==8.0.3
 cryptography==3.3.2
+defusedxml==0.7.1
 Flask==1.1.1
 Flask-Session==0.4.0
 idna==2.9
--- a/setup.cfg
+++ b/setup.cfg
@ -19,6 +19,7 @@ include_package_data = True
 install_requires=
    beautifulsoup4
    cryptography
+    defusedxml
    Flask
    Flask-Session
    python-dotenv