Skip to content

Commit

Permalink
Now using defusedxml to fix a known vulnerability https://docs.pyth…
Browse files Browse the repository at this point in the history 
…on.org/3/library/xml.etree.elementtree.html. Fixes #11
  • Loading branch information
Sylvain MARIE committed May 18, 2021
1 parent a6eef80 commit 0817b53
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 3 deletions.
12 changes: 10 additions & 2 deletions genbadge/utils_coverage.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,15 @@
from __future__ import division

from .utils_badge import Badge
from xml.etree import ElementTree

try:
# security patch: see https://docs.python.org/3/library/xml.etree.elementtree.html
import defusedxml
except ImportError as e:
class FakeDefusedXmlImport(object):
def __getattribute__(self, item):
raise ImportError("Could not import `defusedxml` module, please install it. Caught: %r" % e)
defusedxml = FakeDefusedXmlImport()


class CoverageStats(object):
Expand Down Expand Up @@ -114,7 +122,7 @@ class CovParser(object):
"""Parser class - inspired by the code in `xunitparser`"""

def parse(self, source):
xml = ElementTree.parse(source)
xml = defusedxml.ElementTree.parse(source)
root = xml.getroot()
return self.parse_root(root)

Expand Down
4 changes: 4 additions & 0 deletions genbadge/utils_junit.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@
try:
# xunitparser is an optional dependency, do not fail if it cant be loaded
import xunitparser
# security patch: see https://docs.python.org/3/library/xml.etree.elementtree.html
# to remove when https://github.com/laurentb/xunitparser/issues/14 is fixed
from defusedxml import ElementTree
setattr(xunitparser, "ElementTree", ElementTree)
except ImportError as e:
class FakeXunitParserImport(object):
def __getattribute__(self, item):
Expand Down
4 changes: 3 additions & 1 deletion setup.cfg
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,12 +78,14 @@ exclude =
# Optional dependencies that can be installed with e.g. $ pip install -e .[dev,test]
[options.extras_require]
tests =
defusedxml
xunitparser
coverage =

defusedxml
flake8 =
flake8-html
all =
defusedxml
xunitparser
flake8-html

Expand Down

0 comments on commit 0817b53

Please sign in to comment.