From acbbc8a441be6f481fd723988663f23e33b570d4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Diego=20Vel=C3=A1squez?= <diego@emptor.io>
Date: Fri, 30 Jun 2023 18:47:17 -0500
Subject: [PATCH] chore: remove warnings from defusedxml package

---
 openedx/core/lib/safe_lxml/__init__.py |  2 --
 openedx/core/lib/safe_lxml/etree.py    |  7 +++----
 openedx/core/lib/safe_lxml/tests.py    | 25 ++++++++++---------------
 3 files changed, 13 insertions(+), 21 deletions(-)

diff --git a/openedx/core/lib/safe_lxml/__init__.py b/openedx/core/lib/safe_lxml/__init__.py
index b17efb15cc15..d7d5239c5102 100644
--- a/openedx/core/lib/safe_lxml/__init__.py
+++ b/openedx/core/lib/safe_lxml/__init__.py
@@ -7,8 +7,6 @@ def defuse_xml_libs():
     """
     Monkey patch and defuse all stdlib xml packages and lxml.
     """
-    from defusedxml import defuse_stdlib
-    defuse_stdlib()
 
     import lxml
     import lxml.etree
diff --git a/openedx/core/lib/safe_lxml/etree.py b/openedx/core/lib/safe_lxml/etree.py
index 21593f06ef4c..c5a684528dc6 100644
--- a/openedx/core/lib/safe_lxml/etree.py
+++ b/openedx/core/lib/safe_lxml/etree.py
@@ -16,10 +16,9 @@
 
 from lxml.etree import XMLParser as _XMLParser
 from lxml.etree import *  # lint-amnesty, pylint: disable=redefined-builtin
-from lxml.etree import _Element, _ElementTree
-
-# This should be imported after lxml.etree so that it overrides the following attributes.
-from defusedxml.lxml import XML, fromstring, parse
+# These private elements are used in some libraries to also defuse xml exploits for their own purposes.
+# We need to re-expose them so that the libraries still work.
+from lxml.etree import _Comment, _Element, _ElementTree, _Entity, _ProcessingInstruction
 
 
 class XMLParser(_XMLParser):  # pylint: disable=function-redefined
diff --git a/openedx/core/lib/safe_lxml/tests.py b/openedx/core/lib/safe_lxml/tests.py
index 3608d43bfa93..7d7c1fbbf05e 100644
--- a/openedx/core/lib/safe_lxml/tests.py
+++ b/openedx/core/lib/safe_lxml/tests.py
@@ -1,29 +1,24 @@
 """
 Test that we have defused XML.
-
-For these tests, the defusing will happen in one or more of the `conftest.py`
-files that runs at pytest startup calls `defuse_xml_libs()`.
-
-In production, the defusing happens when the LMS or Studio `wsgi.py` files
-call `defuse_xml_libs()`.
 """
 
 
-import defusedxml
 from lxml import etree
 
 import pytest
 
 
-@pytest.mark.parametrize("attr", ["XML", "fromstring", "parse"])
-def test_etree_is_defused(attr):
-    func = getattr(etree, attr)
-    assert "defused" in func.__code__.co_filename
+def test_entities_resolved():
+    xml = '<?xml version="1.0"?><!DOCTYPE mydoc [<!ENTITY hi "Hello">]> <root>&hi;</root>'
+    parser = etree.XMLParser(resolve_entities=True)
+    tree = etree.fromstring(xml, parser=parser)
+    pr = etree.tostring(tree)
+    assert pr == b'<root>Hello</root>'
 
 
 def test_entities_arent_resolved():
-    # Make sure we have disabled entity resolution.
     xml = '<?xml version="1.0"?><!DOCTYPE mydoc [<!ENTITY hi "Hello">]> <root>&hi;</root>'
-    parser = etree.XMLParser()
-    with pytest.raises(defusedxml.EntitiesForbidden):
-        _ = etree.XML(xml, parser=parser)
+    parser = etree.XMLParser(resolve_entities=False)
+    tree = etree.fromstring(xml, parser=parser)
+    pr = etree.tostring(tree)
+    assert pr == b'<root>&hi;</root>'