coveralls
commented
8 months ago Pull Request Test Coverage Report for Build 8080878481
Details
- 6 of 10 (60.0%) changed or added relevant lines in 1 file are covered.
- No unchanged relevant lines lost coverage.
- Overall coverage decreased (-0.5%) to 98.005%
| Changes Missing Coverage | Covered Lines | Changed/Added Lines | % | ||
|---|---|---|---|---|---|
| modernrpc/apps.py | 6 | 10 | 60.0% | ||
| <!-- | Total: | 6 | 10 | 60.0% | --> |
| Totals | |
|---|---|
| Change from base Build 8065652169: | -0.5% |
| Covered Lines: | 737 |
| Relevant Lines: | 752 |
alorence
This change was originally suggested by @atodorov, thanks to him for this contribution.
Currently, django-modern-rpc uses builtin
xmlrpc.client.loads()function to parse incoming requests. But this can cause a security issue when an attacker send a valid but malicious XML-RPC request.A Python package can help to mitigate this kind of attack, defusedxml (GitHub repo).
The goal of this PR is to implement
defusedxmlsupport in django-modern-rpcCurrently:
defusedxml.xmlrpc.monkey_patch()is called fromModernRpcConfig.ready()when available<!ENTITY key "value">syntax in XML-RPC request is disabled and raise an exception on parsing stepdefusedxml.xmlrpc.monkey_patch()is not called, or whendefusedxml.xmlrpc.unmonkey_patch()is called after project initializationRemaining
Drawbacks
Due to a limitation in the wayedit: this is not true anymorelive_serverfixture has been customized for these tests, Django 2.1 cannot be supported anymore