Use defusedxml instead of standard xml

Because XML handling modules in xml Python standard library are vulnerable[1], we should use defusedxml[2] for parsing XML. [1] https://docs.python.org/3/library/xml.html#xml-vulnerabilities [2] https://pypi.org/project/defusedxml/ Conflicts: scciclient/tests/irmc/test_scci.py Change-Id: I8ff057ee64c04c4cd5c92abf3e31b52c6225ed76 (cherry picked from commit 8e527de430) (cherry picked from commit 3488869d99) (cherry picked from commit 677eb05cb3)
2021-12-28 10:16:00 +09:00 · 2021-12-28 10:16:00 +09:00 · 7f1176810c
parent 9debe94866
commit 7f1176810c
3 changed files with 5 additions and 5 deletions
--- a/requirements.txt
+++ b/requirements.txt
@ -6,6 +6,7 @@ Babel!=2.4.0,>=2.3.4 # BSD
 pyghmi>=1.0.24 # Apache-2.0
 pysnmp>=4.2.3 # BSD
 requests>=2.14.2 # Apache-2.0
+defusedxml>=0.7.0 # PSF
 six>=1.10.0 # MIT
 oslo.utils!=3.39.1,!=3.40.0,!=3.40.1,>=3.33.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
--- a/scciclient/irmc/scci.py
+++ b/scciclient/irmc/scci.py
@ -18,8 +18,8 @@ SCCI functionalities shared between different iRMC modules.

 import functools
 import time
-import xml.etree.ElementTree as ET

+import defusedxml.ElementTree as ET
 import requests
 import six

@ -487,7 +487,6 @@ def get_sensor_data_records(report):
    """

    sensor = report.find("./System/SensorDataRecords")
-    # ET.dump(sensor[0])
    return sensor


@ -500,7 +499,6 @@ def get_irmc_version(report):
    """

    version = report.find("./System/ManagementControllers/iRMC")
-    # ET.dump(version[0])
    return version


--- a/scciclient/tests/irmc/test_scci.py
+++ b/scciclient/tests/irmc/test_scci.py
@ -20,6 +20,7 @@ import sys
 import time
 import xml.etree.ElementTree as ET

+import defusedxml.ElementTree as dET
 from requests_mock.contrib import fixture as rm_fixture
 import six
 import six.moves.builtins as __builtin__
@ -54,13 +55,13 @@ class SCCITestCase(testtools.TestCase):
                os.path.dirname(__file__),
                'fixtures/irmc_report_ok.xml'), "r") as report_ok:
            self.report_ok_txt = report_ok.read()
-        self.report_ok_xml = ET.fromstring(self.report_ok_txt)
+        self.report_ok_xml = dET.fromstring(self.report_ok_txt)

        with open(os.path.join(
                os.path.dirname(__file__),
                'fixtures/irmc_report_ng.xml'), "r") as report_ng:
            self.report_ng_txt = report_ng.read()
-        self.report_ng_xml = ET.fromstring(self.report_ng_txt)
+        self.report_ng_xml = dET.fromstring(self.report_ng_txt)

        self.irmc_address = '10.124.196.159'
        self.irmc_username = 'admin'