From 7f1176810c940a34081ad33c893461a22a949537 Mon Sep 17 00:00:00 2001
From: vanou <ishii.vanou@fujitsu.com>
Date: Tue, 28 Dec 2021 10:16:00 +0900
Subject: [PATCH] Use defusedxml instead of standard xml

Because XML handling modules in xml Python standard library
are vulnerable[1], we should use defusedxml[2] for parsing XML.

[1] https://docs.python.org/3/library/xml.html#xml-vulnerabilities
[2] https://pypi.org/project/defusedxml/

Conflicts:
    scciclient/tests/irmc/test_scci.py

Change-Id: I8ff057ee64c04c4cd5c92abf3e31b52c6225ed76
(cherry picked from commit 8e527de430cc6dc2a743e39af478cb84f71a3af9)
(cherry picked from commit 3488869d99e0a2be01db097ac09442b402a52cda)
(cherry picked from commit 677eb05cb33611b0e4896848d61e3f26f19b9ebe)
---
 requirements.txt                   | 1 +
 scciclient/irmc/scci.py            | 4 +---
 scciclient/tests/irmc/test_scci.py | 5 +++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 467f156..3b770cd 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,6 +6,7 @@ Babel!=2.4.0,>=2.3.4 # BSD
 pyghmi>=1.0.24 # Apache-2.0
 pysnmp>=4.2.3 # BSD
 requests>=2.14.2 # Apache-2.0
+defusedxml>=0.7.0 # PSF
 six>=1.10.0 # MIT
 oslo.utils!=3.39.1,!=3.40.0,!=3.40.1,>=3.33.0 # Apache-2.0
 oslo.serialization!=2.19.1,>=2.18.0 # Apache-2.0
diff --git a/scciclient/irmc/scci.py b/scciclient/irmc/scci.py
index 9965c83..5780515 100755
--- a/scciclient/irmc/scci.py
+++ b/scciclient/irmc/scci.py
@@ -18,8 +18,8 @@ SCCI functionalities shared between different iRMC modules.
 
 import functools
 import time
-import xml.etree.ElementTree as ET
 
+import defusedxml.ElementTree as ET
 import requests
 import six
 
@@ -487,7 +487,6 @@ def get_sensor_data_records(report):
     """
 
     sensor = report.find("./System/SensorDataRecords")
-    # ET.dump(sensor[0])
     return sensor
 
 
@@ -500,7 +499,6 @@ def get_irmc_version(report):
     """
 
     version = report.find("./System/ManagementControllers/iRMC")
-    # ET.dump(version[0])
     return version
 
 
diff --git a/scciclient/tests/irmc/test_scci.py b/scciclient/tests/irmc/test_scci.py
index 8d0d805..7aec339 100644
--- a/scciclient/tests/irmc/test_scci.py
+++ b/scciclient/tests/irmc/test_scci.py
@@ -20,6 +20,7 @@ import sys
 import time
 import xml.etree.ElementTree as ET
 
+import defusedxml.ElementTree as dET
 from requests_mock.contrib import fixture as rm_fixture
 import six
 import six.moves.builtins as __builtin__
@@ -54,13 +55,13 @@ class SCCITestCase(testtools.TestCase):
                 os.path.dirname(__file__),
                 'fixtures/irmc_report_ok.xml'), "r") as report_ok:
             self.report_ok_txt = report_ok.read()
-        self.report_ok_xml = ET.fromstring(self.report_ok_txt)
+        self.report_ok_xml = dET.fromstring(self.report_ok_txt)
 
         with open(os.path.join(
                 os.path.dirname(__file__),
                 'fixtures/irmc_report_ng.xml'), "r") as report_ng:
             self.report_ng_txt = report_ng.read()
-        self.report_ng_xml = ET.fromstring(self.report_ng_txt)
+        self.report_ng_xml = dET.fromstring(self.report_ng_txt)
 
         self.irmc_address = '10.124.196.159'
         self.irmc_username = 'admin'