geopython / pywps

PyWPS is an implementation of the Web Processing Service standard from the Open Geospatial Consortium. PyWPS is written in Python.

https://pywps.org

MIT License

178 stars 117 forks source link

Fix lxml default parser #616

Closed cehbrecht closed 3 years ago

cehbrecht commented 3 years ago

Overview

This PR configures the lxml default parser to avoid security issues.

For example the default lxml parser replaces entities in the XML request with the content of local system files.

Changes:

Added xml_util.py with a configured lxml parser for lxml.etree.fromstring and lxml.etree.parse.
Added test for xml_util.py.
Adjust to werkzeug deprecation warnings:
- use werkzeug.Response
- use markupsafe
Cleaned up imports.

Related Issue / Discussion

https://github.com/geopython/OWSLib/issues/790

Additional Information

This PR is not using defusedxml.lxml since it is deprecated: https://pypi.org/project/defusedxml/#defusedxml-lxml

Contribution Agreement

(as per https://github.com/geopython/pywps/blob/master/CONTRIBUTING.rst#contributions-and-licensing)

[ ] I'd like to contribute [feature X|bugfix Y|docs|something else] to PyWPS. I confirm that my contributions to PyWPS will be compatible with the PyWPS license guidelines at the time of contribution.
[x ] I have already previously agreed to the PyWPS Contributions and Licensing Guidelines

coveralls commented 3 years ago

Coverage remained the same at 0.0% when pulling 6896931b926d81b2debe8f907495dd742d705c6c on cehbrecht:fix-lxml-parser into 711219792be8b3d6a175a81152282dc5046d412b on geopython:pywps-4.4.