Skip to content

chore: remove warnings from defusedxml package #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: open-release/palm.master
Choose a base branch
from
Open

chore: remove warnings from defusedxml package #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions openedx/core/lib/safe_lxml/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@ def defuse_xml_libs():
"""
Monkey patch and defuse all stdlib xml packages and lxml.
"""
from defusedxml import defuse_stdlib
defuse_stdlib()

import lxml
import lxml.etree
Expand Down
7 changes: 3 additions & 4 deletions openedx/core/lib/safe_lxml/etree.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,9 @@

from lxml.etree import XMLParser as _XMLParser
from lxml.etree import * # lint-amnesty, pylint: disable=redefined-builtin
from lxml.etree import _Element, _ElementTree

# This should be imported after lxml.etree so that it overrides the following attributes.
from defusedxml.lxml import XML, fromstring, parse
# These private elements are used in some libraries to also defuse xml exploits for their own purposes.
# We need to re-expose them so that the libraries still work.
from lxml.etree import _Comment, _Element, _ElementTree, _Entity, _ProcessingInstruction


class XMLParser(_XMLParser): # pylint: disable=function-redefined
Expand Down
25 changes: 10 additions & 15 deletions openedx/core/lib/safe_lxml/tests.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,29 +1,24 @@
"""
Test that we have defused XML.

For these tests, the defusing will happen in one or more of the `conftest.py`
files that runs at pytest startup calls `defuse_xml_libs()`.

In production, the defusing happens when the LMS or Studio `wsgi.py` files
call `defuse_xml_libs()`.
"""


import defusedxml
from lxml import etree

import pytest


@pytest.mark.parametrize("attr", ["XML", "fromstring", "parse"])
def test_etree_is_defused(attr):
func = getattr(etree, attr)
assert "defused" in func.__code__.co_filename
def test_entities_resolved():
xml = '<?xml version="1.0"?><!DOCTYPE mydoc [<!ENTITY hi "Hello">]> <root>&hi;</root>'
parser = etree.XMLParser(resolve_entities=True)
tree = etree.fromstring(xml, parser=parser)
pr = etree.tostring(tree)
assert pr == b'<root>Hello</root>'


def test_entities_arent_resolved():
# Make sure we have disabled entity resolution.
xml = '<?xml version="1.0"?><!DOCTYPE mydoc [<!ENTITY hi "Hello">]> <root>&hi;</root>'
parser = etree.XMLParser()
with pytest.raises(defusedxml.EntitiesForbidden):
_ = etree.XML(xml, parser=parser)
parser = etree.XMLParser(resolve_entities=False)
tree = etree.fromstring(xml, parser=parser)
pr = etree.tostring(tree)
assert pr == b'<root>&hi;</root>'