From 2a0ad8796cae61fdbb5535b56e8fc8f3c3fc5391 Mon Sep 17 00:00:00 2001
From: Ben Busby <contact@benbusby.com>
Date: Tue, 1 Mar 2022 12:54:32 -0700
Subject: [PATCH] Switch to defusedxml for xml parsing

xml.etree.ElementTree.fromstring is considered insecure, see:
https://docs.python.org/3/library/xml.etree.elementtree.html

The defusedxml package contains several Python-only workarounds and
fixes for denial of service and other vulnerabilities in Python's XML
libraries: https://github.com/tiran/defusedxml

Fixes #670
---
 app/request.py   | 2 +-
 requirements.txt | 1 +
 setup.cfg        | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/request.py b/app/request.py
index 17ac034..d222c45 100644
--- a/app/request.py
+++ b/app/request.py
@@ -1,6 +1,6 @@
 from app.models.config import Config
 from datetime import datetime
-import xml.etree.ElementTree as ET
+from defusedxml import ElementTree as ET
 import random
 import requests
 from requests import Response, ConnectionError
diff --git a/requirements.txt b/requirements.txt
index 05a3872..d6fc75f 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,6 +6,7 @@ cffi==1.15.0
 chardet==3.0.4
 click==8.0.3
 cryptography==3.3.2
+defusedxml==0.7.1
 Flask==1.1.1
 Flask-Session==0.4.0
 idna==2.9
diff --git a/setup.cfg b/setup.cfg
index 7edf18a..1d3c2f3 100644
--- a/setup.cfg
+++ b/setup.cfg
@@ -19,6 +19,7 @@ include_package_data = True
 install_requires=
     beautifulsoup4
     cryptography
+    defusedxml
     Flask
     Flask-Session
     python-dotenv