DM-40247: Improve webdav interface as suggested by ruff S checks #63
Conversation
The standard library 'xml' package is vulnerable to XML bombs. See: * https://en.wikipedia.org/wiki/Billion_laughs_attack * https://realpython.com/python-xml-parser/#defuse-the-xml-bomb-with-secure-parsers
airnandez
changed the title
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #63 +/- ##
==========================================
+ Coverage 85.86% 85.91% +0.05%
==========================================
Files 27 27
Lines 3913 3927 +14
Branches 801 805 +4
==========================================
+ Hits 3360 3374 +14
Misses 433 433
Partials 120 120
☔ View full report in Codecov by Sentry. |
|
To fix the mypy problem add something like to [mypy-defusedxml.*]
ignore_missing_imports = TrueThis PR works with both xml and defusedxml so we do not have to wait on the rubin-env RFC. Also, there is no reason why we can't add defusedxml as a requirement in the |
|
Thanks @timj for your feedback. I added |
| str(path), | ||
| stream=False, | ||
| timeout=( | ||
| _timeout_from_environment("LSST_HTTP_TIMEOUT_CONNECT", 30.0), |
There was a problem hiding this comment.
Should we be reading the environment variables here if we are saying that OPTIONS should use a shorter timeout than other activities?
There was a problem hiding this comment.
I thought using the timeout values specified by the user via the environment variables for OPTIONS as well would be better for consistency. In addition, using the environment allows the user to configure the environment for using a potential slow server, as opposed to hardcoding a magic value.
There was a problem hiding this comment.
Yes, okay. I was concerned that people might want different values for OPTIONS and other things but if the env var is only used for testing it doesn't matter.
timj
changed the title
Checklist
doc/changes