From f75d20e01a7f43a502601f7dac81e1a319be41f6 Mon Sep 17 00:00:00 2001
From: vanou <ishii.vanou@fujitsu.com>
Date: Tue, 28 Dec 2021 10:16:00 +0900
Subject: [PATCH] Use defusedxml instead of standard xml

Because XML handling modules in xml Python standard library
are vulnerable[1], we should use defusedxml[2] for parsing XML.

[1] https://docs.python.org/3/library/xml.html#xml-vulnerabilities
[2] https://pypi.org/project/defusedxml/

Conflicts:
    scciclient/tests/irmc/test_scci.py

Change-Id: I8ff057ee64c04c4cd5c92abf3e31b52c6225ed76
---
 requirements.txt                   | 1 +
 scciclient/irmc/scci.py            | 4 +---
 scciclient/tests/irmc/test_scci.py | 4 ++--
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/requirements.txt b/requirements.txt
index 30aac91..3729c32 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -6,6 +6,7 @@ Babel!=2.4.0,>=2.3.4 # BSD
 pyghmi>=1.0.24 # Apache-2.0
 pysnmp>=4.2.3 # BSD
 requests>=2.14.2 # Apache-2.0
+defusedxml>=0.7.0 # PSF
 six>=1.10.0 # MIT
 oslo.utils!=3.39.1,!=3.40.0,!=3.40.1,>=3.33.0;python_version>='3.0' # Apache-2.0
 oslo.utils!=3.39.1,!=3.40.0,!=3.40.1,>=3.33.0,<4.0.0;python_version<'3.0' # Apache-2.0
diff --git a/scciclient/irmc/scci.py b/scciclient/irmc/scci.py
index 9965c83..5780515 100755
--- a/scciclient/irmc/scci.py
+++ b/scciclient/irmc/scci.py
@@ -18,8 +18,8 @@ SCCI functionalities shared between different iRMC modules.
 
 import functools
 import time
-import xml.etree.ElementTree as ET
 
+import defusedxml.ElementTree as ET
 import requests
 import six
 
@@ -487,7 +487,6 @@ def get_sensor_data_records(report):
     """
 
     sensor = report.find("./System/SensorDataRecords")
-    # ET.dump(sensor[0])
     return sensor
 
 
@@ -500,7 +499,6 @@ def get_irmc_version(report):
     """
 
     version = report.find("./System/ManagementControllers/iRMC")
-    # ET.dump(version[0])
     return version
 
 
diff --git a/scciclient/tests/irmc/test_scci.py b/scciclient/tests/irmc/test_scci.py
index db12fbb..cd540cc 100644
--- a/scciclient/tests/irmc/test_scci.py
+++ b/scciclient/tests/irmc/test_scci.py
@@ -55,13 +55,13 @@ class SCCITestCase(testtools.TestCase):
                 os.path.dirname(__file__),
                 'fixtures/irmc_report_ok.xml'), "r") as report_ok:
             self.report_ok_txt = report_ok.read()
-        self.report_ok_xml = ET.fromstring(self.report_ok_txt)
+        self.report_ok_xml = dET.fromstring(self.report_ok_txt)
 
         with open(os.path.join(
                 os.path.dirname(__file__),
                 'fixtures/irmc_report_ng.xml'), "r") as report_ng:
             self.report_ng_txt = report_ng.read()
-        self.report_ng_xml = ET.fromstring(self.report_ng_txt)
+        self.report_ng_xml = dET.fromstring(self.report_ng_txt)
 
         self.irmc_address = '10.124.196.159'
         self.irmc_username = 'admin'