Skip to content
This repository has been archived by the owner on Jan 3, 2024. It is now read-only.

Replace xml.etree.ElementTree.fromstring functions with their defusedxml equivalents. #140

Closed
lewismc opened this issue Jul 31, 2019 · 3 comments
Closed

Replace xml.etree.ElementTree.fromstring functions with their defusedxml equivalents. #140

lewismc opened this issue Jul 31, 2019 · 3 comments
Assignees
@lewismc
Labels
enhancement
Milestone
2.3.0

Comments

@lewismc
Copy link
Member

lewismc commented Jul 31, 2019

DeepSource has flagged the following issues

In podaac/podaac.py

root = ET.fromstring(dataset.encode('utf-8'))

Justification is as follows

Using xml.etree.ElementTree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.fromstring with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
@lewismc lewismc added this to the 2.3.0 milestone Jul 31, 2019
@lewismc lewismc self-assigned this Jul 31, 2019
@lewismc
Copy link
Member Author

lewismc commented Jul 31, 2019

Full analysis can be see at https://deepsource.io/gh/nasa/podaacpy/issues/?type=security

@lewismc
Copy link
Member Author

lewismc commented Jul 31, 2019

There are a few instances of this happening but it should be trivial to fix.

@lewismc
Copy link
Member Author

lewismc commented Aug 2, 2019

Additional issues can be located at https://deepsource.io/gh/nasa/podaacpy/issues/

This was referenced Aug 3, 2019
Merged
Closed
@lewismc lewismc closed this as completed Aug 3, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@lewismc lewismc

Labels
enhancement
Projects
None yet
Milestone
2.3.0
Development

No branches or pull requests
1 participant
@lewismc