search

geopython / pywps

PyWPS is an implementation of the Web Processing Service standard from the Open Geospatial Consortium. PyWPS is written in Python.
https://pywps.org
MIT License
177 stars 117 forks source link

Use defusedxml instead of lxml #384

Open cehbrecht opened 6 years ago

cehbrecht commented 6 years ago

Description

Codacy complains about lxml usage: https://docs.openstack.org/bandit/latest/api/bandit.blacklists.html#b410-import-lxml

We should use defuesedxml

Steps to Reproduce

Check codacy report for PyWPS.

Additional Information

jachym commented 6 years ago

Are we talking about those files?

grep -r "etree.tostring" pywps/*/*.py

pywps/app/WPSRequest.py:            return lxml.etree.tostring(value_el, encoding=unicode)  # noqa
pywps/app/WPSRequest.py:            return lxml.etree.tostring(value_el, encoding=str)
pywps/inout/inputs.py:            data["data"] = etree.tostring(data_doc, pretty_print=True).decode("utf-8")
pywps/inout/inputs.py:                    data["data"] = etree.tostring(etree.CDATA(self.base64))
pywps/inout/outputs.py:            data["data"] = etree.tostring(data_doc, pretty_print=True).decode("utf-8")
pywps/inout/outputs.py:                    data["data"] = etree.tostring(etree.CDATA(self.base64))
grep -r "etree.parse" pywps/*/*.py
pywps/inout/inputs.py:            data_doc = etree.parse(self.file)
pywps/inout/outputs.py:            data_doc = etree.parse(self.file)
pywps/validator/complexvalidator.py:            gmlschema_doc = etree.parse(urlopen(schema_url))
pywps/validator/complexvalidator.py:            passed = gmlschema.validate(etree.parse(data_input.stream))
cehbrecht commented 6 years ago

I think so. Codacy probably only checks the imports (lxml): https://app.codacy.com/app/cehbrecht/pywps/security

Though I do not understand why this is not handled in lxml itself and we have to use an extra library.

tomkralidis commented 5 years ago

We'll need to ensure defusedxml exists in Debian / UbuntuGIS packages (cc @kalxas) and is specified in debian/control