From 3840b7181220274c09dd1848f0d9cef61b9e66b7 Mon Sep 17 00:00:00 2001 From: Miguel Jacq Date: Thu, 27 Nov 2025 15:21:17 +1100 Subject: [PATCH] Satisfy the needs of defusedxml.defuse_stdlib() whilst still retaining functionality and passing tests --- src/jinjaturtle/core.py | 11 +++++------ tests/test_core.py | 6 ++---- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/src/jinjaturtle/core.py b/src/jinjaturtle/core.py index 753da81..5da35af 100644 --- a/src/jinjaturtle/core.py +++ b/src/jinjaturtle/core.py @@ -2,7 +2,7 @@ from __future__ import annotations import configparser import json -import xml.etree.ElementTree as ET # nosec +import xml.etree.ElementTree as ET # nosec import yaml from collections import Counter, defaultdict @@ -103,9 +103,7 @@ def parse_config(path: Path, fmt: str | None = None) -> tuple[str, Any]: if fmt == "xml": text = path.read_text(encoding="utf-8") - # defusedxml.defuse_stdlib() is called in CLI entrypoint - parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False)) # nosec - root = ET.fromstring(text, parser=parser) # nosec + root = ET.fromstring(text) # nosec B314 return fmt, root raise ValueError(f"Unsupported config format: {fmt}") @@ -870,8 +868,9 @@ def _generate_xml_template_from_text(role_prefix: str, text: str) -> str: # Parse with comments included so are preserved # defusedxml.defuse_stdlib() is called in CLI entrypoint - parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=True)) # nosec - root = ET.fromstring(body, parser=parser) # nosec + parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=True)) # nosec B314 + parser.feed(body) + root = parser.close() _apply_jinja_to_xml_tree(role_prefix, root) diff --git a/tests/test_core.py b/tests/test_core.py index 8e65697..53e979c 100644 --- a/tests/test_core.py +++ b/tests/test_core.py @@ -566,8 +566,7 @@ def test_generate_template_xml_structural_fallback(): """ ) - parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False)) - root = ET.fromstring(xml_text, parser=parser) + root = ET.fromstring(xml_text) tmpl = generate_template("xml", parsed=root, role_prefix="role") @@ -643,8 +642,7 @@ def test_flatten_xml_text_with_attributes_uses_value_suffix(): the text at path + ('value',), not just path. """ xml_text = "text" - parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False)) - root = ET.fromstring(xml_text, parser=parser) + root = ET.fromstring(xml_text) items = flatten_config("xml", root)