fix: use defusedxml instead of xml library

splunk · May 27, 2021 · c3fdfc0 · c3fdfc0
1 parent b47a713
commit c3fdfc0
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 7 deletions.
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -58,6 +58,7 @@ reuse = "*"
 
 Sphinx = "^4.0.2"
 sphinx-rtd-theme = "^0.5.2"
+defusedxml = "^0.7.1"
 [tool.poetry.dev-dependencies]
 pytest = "^6.0"
 pytest-splunk-addon = { version = "^1.6", extras = [ "docker" ] }

diff --git a/splunk_add_on_ucc_framework/__init__.py b/splunk_add_on_ucc_framework/__init__.py
@@ -13,7 +13,7 @@
 import sys
 import argparse
 import json
-from xml.etree import cElementTree as et
+from defusedxml import cElementTree as defused_et
 from .uccrestbuilder.global_config import (
     GlobalConfigBuilderSchema,
     GlobalConfigPostProcessor,
@@ -586,7 +586,7 @@ def _removeinput(path):
         Args:
             path (str) : path to default.xml
         """
-        tree = et.parse(path)
+        tree = defused_et.parse(path)
         root = tree.getroot()
 
         for element in root:

diff --git a/splunk_add_on_ucc_framework/modular_alert_builder/build_core/alert_actions_html_gen.py b/splunk_add_on_ucc_framework/modular_alert_builder/build_core/alert_actions_html_gen.py
@@ -13,7 +13,7 @@
 from munch import Munch
 from mako.template import Template
 from mako.lookup import TemplateLookup
-from lxml import etree, html
+from defusedxml import lxml as defused_lxml
 from re import search
 from .alert_actions_template import AlertActionsTemplateMgr
 from .alert_actions_helper import write_file
@@ -74,13 +74,13 @@ def handle_one_alert(self, one_alert_setting):
         alert_obj = Munch.fromDict(one_alert_setting)
         final_form = self._template.render(mod_alert=alert_obj,
                                            home_page=self._html_home)
-        final_form = html.fromstring(final_form)
+        final_form = defused_lxml.fromstring(final_form)
 # Checking python version before converting and encoding XML Tree to string.
         if sys.version_info < (3, 0):
-            final_string = etree.tostring(final_form, encoding='utf-8',
+            final_string = defused_lxml.tostring(final_form, encoding='utf-8',
                                           pretty_print=True)
         else:
-            final_string = etree.tostring(
+            final_string = defused_lxml.tostring(
                 final_form, encoding='utf-8', pretty_print=True)
         text = linesep.join(
             [s for s in final_string.decode('utf-8').splitlines() if not search(r'^\s*$', s)])