use defusedxml, silence bandit warnings

2025-11-27 15:10:45 +11:00 · 2025-11-27 15:10:45 +11:00 · 910234ed65
commit 910234ed65
parent 9faa2d2e2e
4 changed files with 22 additions and 6 deletions
--- a/poetry.lock
+++ b/poetry.lock
@ -461,6 +461,17 @@ ssh = ["bcrypt (>=3.1.5)"]
 test = ["certifi (>=2024)", "cryptography-vectors (==46.0.3)", "pretend (>=0.7)", "pytest (>=7.4.0)", "pytest-benchmark (>=4.0)", "pytest-cov (>=2.10.1)", "pytest-xdist (>=3.5.0)"]
 test-randomorder = ["pytest-randomly"]
 [[package]]
 name = "defusedxml"
 version = "0.7.1"
 description = "XML bomb protection for Python stdlib modules"
 optional = false
 python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
 files = [
    {file = "defusedxml-0.7.1-py2.py3-none-any.whl", hash = "sha256:a352e7e428770286cc899e2542b6cdaedb2b4953ff269a210103ec58f6198a61"},
    {file = "defusedxml-0.7.1.tar.gz", hash = "sha256:1bb3032db185915b62d7c6209c5a8792be6a32ab2fedacc84e01b52c51aa3e69"},
 ]
 [[package]]
 name = "desktop-entry-lib"
 version = "5.0"
@ -1182,4 +1193,4 @@ type = ["pytest-mypy"]
 [metadata]
 lock-version = "2.0"
 python-versions = "^3.10"
-content-hash = "17e97a5516576384aafd227385b42be9178527537a52ab44e8797816534b5193"
+content-hash = "b9153226d96d26f633a7d95ba83b05e78a0063d4c5471b5e0d5f928a4cae0a57"
--- a/pyproject.toml
+++ b/pyproject.toml
@ -16,6 +16,7 @@ repository = "https://git.mig5.net/mig5/jinjaturtle"
 python = "^3.10"
 PyYAML = "^6.0"
 tomli = { version = "^2.0.0", python = "<3.11" }
 defusedxml = "^0.7.1"
 [tool.poetry.group.dev.dependencies]
 pytest = "^7.0"
--- a/src/jinjaturtle/cli.py
+++ b/src/jinjaturtle/cli.py
@ -2,6 +2,7 @@ from __future__ import annotations
 import argparse
 import sys
 from defusedxml import defuse_stdlib
 from pathlib import Path
 from .core import (
@ -47,6 +48,7 @@ def _build_arg_parser() -> argparse.ArgumentParser:
 def _main(argv: list[str] | None = None) -> int:
    defuse_stdlib()
    parser = _build_arg_parser()
    args = parser.parse_args(argv)
--- a/src/jinjaturtle/core.py
+++ b/src/jinjaturtle/core.py
@ -2,7 +2,7 @@ from __future__ import annotations
 import configparser
 import json
-import xml.etree.ElementTree as ET
+import xml.etree.ElementTree as ET # nosec
 import yaml
 from collections import Counter, defaultdict
@ -103,8 +103,9 @@ def parse_config(path: Path, fmt: str | None = None) -> tuple[str, Any]:
    if fmt == "xml":
        text = path.read_text(encoding="utf-8")
-        parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False))
+        # defusedxml.defuse_stdlib() is called in CLI entrypoint
-        root = ET.fromstring(text, parser=parser)
+        parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False)) # nosec
        root = ET.fromstring(text, parser=parser) # nosec
        return fmt, root
    raise ValueError(f"Unsupported config format: {fmt}")
@ -868,8 +869,9 @@ def _generate_xml_template_from_text(role_prefix: str, text: str) -> str:
    prolog, body = _split_xml_prolog(text)
    # Parse with comments included so <!-- --> are preserved
-    parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=True))
+    # defusedxml.defuse_stdlib() is called in CLI entrypoint
-    root = ET.fromstring(body, parser=parser)
+    parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=True)) # nosec
    root = ET.fromstring(body, parser=parser) # nosec
    _apply_jinja_to_xml_tree(role_prefix, root)