Use defusedxml for more security

TheLovinator1 · May 12, 2023 · 25a0e9f · 25a0e9f
1 parent 6f84535
commit 25a0e9f
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 9 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -32,7 +32,7 @@ repos:
           ]
 
   - repo: https://github.com/tox-dev/pyproject-fmt
-    rev: "0.10.0"
+    rev: "0.11.2"
     hooks:
       - id: pyproject-fmt
         name: Format pyproject.toml with pyproject-fmt
@@ -110,7 +110,7 @@ repos:
   # Run Ruff on all Python files. We do this before Black so that Black can
   # format the code that Ruff changes.
   - repo: https://github.com/charliermarsh/ruff-pre-commit
-    rev: "v0.0.263"
+    rev: "v0.0.265"
     hooks:
       - id: ruff
         name: Lint Python code with Ruff
@@ -133,7 +133,7 @@ repos:
 
   # Run Pyupgrade on all Python files. This will upgrade the code to Python 3.11.
   - repo: https://github.com/asottile/pyupgrade
-    rev: v3.3.2
+    rev: v3.4.0
     hooks:
       - id: pyupgrade
         name: Upgrade Python syntax to Python 3.11 with pyupgrade

diff --git a/discord_twitter_webhooks/send_embed.py b/discord_twitter_webhooks/send_embed.py
@@ -1,8 +1,8 @@
 from functools import lru_cache
 from random import randint
 from typing import TYPE_CHECKING
-from xml.etree import ElementTree
 
+from defusedxml import ElementTree
 from discord_webhook import DiscordEmbed, DiscordWebhook
 from loguru import logger
 from reader import Entry
@@ -12,6 +12,8 @@
 from discord_twitter_webhooks.get_tweet_text import get_tweet_text
 
 if TYPE_CHECKING:
+    from xml.etree.ElementTree import Element
+
     from requests import Response
 
 
@@ -52,9 +54,12 @@ def get_avatar(rss_feed: str) -> str:
         # Parse XML and get the avatar
         xml_data: str = response.content.decode("utf-8")
 
-        # TODO: This is a security risk, we should use https://github.com/tiran/defusedxml
-        root: ElementTree.Element = ElementTree.fromstring(xml_data)  # noqa: S314
-        found: ElementTree.Element | None = root.find("channel/image/url")
+        try:
+            root: Element = ElementTree.fromstring(xml_data)
+            found: Element | None = root.find("channel/image/url")
+        except ElementTree.ParseError:
+            logger.error("Unable to parse XML from {}", rss_feed)
+            return default_avatar
 
         return found.text or default_avatar if found is not None else default_avatar
 

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -27,6 +27,7 @@ python-multipart = "^0.0.6"
 uvicorn = "^0.21.1"
 httpx = "^0.24.0"
 lxml = "^4.9.2"
+defusedxml = "^0.7.1"
 
 [tool.poetry.dev-dependencies]
 pytest = "^7.1.2"

diff --git a/requirements.txt b/requirements.txt
@@ -92,6 +92,9 @@ click==8.1.3 ; python_version >= "3.11" and python_version < "4.0" \
 colorama==0.4.6 ; python_version >= "3.11" and python_version < "4.0" and sys_platform == "win32" or python_version >= "3.11" and python_version < "4.0" and platform_system == "Windows" \
     --hash=sha256:08695f5cb7ed6e0531a20572697297273c47b8cae5a63ffc6d6ed5c201be6e44 \
     --hash=sha256:4f1d9991f5acc0ca119f9d443620b77f9d6b33703e51011c16baf57afb285fc6
+defusedxml==0.7.1 ; python_version >= "3.11" and python_version < "4.0" \
+    --hash=sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69 \
+    --hash=sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61
 discord-webhook==1.1.0 ; python_version >= "3.11" and python_version < "4.0" \
     --hash=sha256:9ea24d124e3932c15afac6b7811849920299fca7ea0905c9d4c0ae07f72155b3 \
     --hash=sha256:e357966432be2dcf7e1fed01213b6f75be1df4d40c17269b8c24f8a6b5afc78a