diff --git a/requirements.in b/requirements.in index 02a3a75d..313df023 100644 --- a/requirements.in +++ b/requirements.in @@ -11,7 +11,7 @@ Django>=2.2.24 djangorestframework>=3.10.3,<3.15 importlib-metadata==6.1.0 jsonschema==4.21.1 -lxml==4.9.4 +lxml==5.1.0 marshmallow==3.20.2 pydantic==2.6.1 pyOpenSSL==24.0.0 diff --git a/requirements.txt b/requirements.txt index 30d7da70..4c5cd68f 100644 --- a/requirements.txt +++ b/requirements.txt @@ -39,7 +39,7 @@ jsonschema==4.21.1 # via -r requirements.in jsonschema-specifications==2023.7.1 # via jsonschema -lxml==4.9.4 +lxml==5.1.0 # via # -r requirements.in # signxml diff --git a/setup.py b/setup.py index 838138ae..6d84bfb1 100644 --- a/setup.py +++ b/setup.py @@ -24,7 +24,7 @@ def get_version(*file_paths: str) -> str: 'cryptography>=38.0.0', 'defusedxml>=0.6.0,<1', 'jsonschema>=3.1.1', - 'lxml>=4.6.5,<5', + 'lxml>=4.6.5,<6', 'marshmallow>=3,<4', 'pydantic>=2.3.0,!=1.7.*,!=1.8.*,!=1.9.*', 'pyOpenSSL>=22.0.0', diff --git a/src/tests/test_libs_xml_utils.py b/src/tests/test_libs_xml_utils.py index 2ab5c33c..e30c7f45 100644 --- a/src/tests/test_libs_xml_utils.py +++ b/src/tests/test_libs_xml_utils.py @@ -51,17 +51,21 @@ def test_attack_billion_laughs_1(self) -> None: self.assertSequenceEqual( cm.exception.args, - ("XML syntax error. Detected an entity reference loop, line 1, column 7.",), + ( + "XML syntax error." + " Maximum entity amplification factor exceeded, see xmlCtxtSetMaxAmplification.," + " line 1, column 25.", + ), ) def test_attack_billion_laughs_2(self) -> None: value = read_test_file_bytes('test_data/xml/attacks/billion-laughs-2.xml') - with self.assertRaises(XmlSyntaxError) as cm: + with self.assertRaises(XmlFeatureForbidden) as cm: parse_untrusted_xml(value) self.assertSequenceEqual( cm.exception.args, - ("XML syntax error. Detected an entity reference loop, line 1, column 4.",), + ("XML uses or contains a forbidden feature.",), ) def test_attack_quadratic_blowup(self) -> None: