You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 6, 2020. It is now read-only.
defusedxml.lxml.fromstring with forbid_dtd, forbid_entities, forbid_external turned off (forbid_dtd is off by default)
defusedxml.lxml.iterparse with ...
defusedxml.lxml.parse with ...
Anything similar we can find in xmlsec
I would say we're mostly there to include this via BadKwargUseLinter. However, I think we need to improve our import detection before we can include this rule (e.g. #1, #2). I say this because of two reasons:
forbid_dtd is off by default, so we'll be checking for a lack of this kwarg specification.
parse is a common enough function name.
So, if we don't have confidence that a parse call cooresponds to defusedxml.lxml.parse, and we're simply checking for a lack of forbid_dtd, I believe we'll encounter lots of false positives.
The text was updated successfully, but these errors were encountered:
Some good heuristics to start:
defusedxml.lxml.fromstring
withforbid_dtd
,forbid_entities
,forbid_external
turned off (forbid_dtd
is off by default)defusedxml.lxml.iterparse
with ...defusedxml.lxml.parse
with ...xmlsec
I would say we're mostly there to include this via
BadKwargUseLinter
. However, I think we need to improve our import detection before we can include this rule (e.g. #1, #2). I say this because of two reasons:forbid_dtd
is off by default, so we'll be checking for a lack of this kwarg specification.parse
is a common enough function name.So, if we don't have confidence that a
parse
call cooresponds todefusedxml.lxml.parse
, and we're simply checking for a lack offorbid_dtd
, I believe we'll encounter lots of false positives.The text was updated successfully, but these errors were encountered: