Satisfy the needs of defusedxml.defuse_stdlib() whilst still retaining functionality and passing tests

use defusedxml, silence bandit warnings
Revert "Use defusedxml"
2025-11-27 15:21:17 +11:00 · 2025-11-27 15:10:45 +11:00 · 2025-11-27 15:01:40 +11:00
3 changed files with 11 additions and 10 deletions
--- a/src/jinjaturtle/cli.py
+++ b/src/jinjaturtle/cli.py
@ -2,6 +2,7 @@ from __future__ import annotations

 import argparse
 import sys
+from defusedxml import defuse_stdlib
 from pathlib import Path

 from .core import (
@ -47,6 +48,7 @@ def _build_arg_parser() -> argparse.ArgumentParser:


 def _main(argv: list[str] | None = None) -> int:
+    defuse_stdlib()
    parser = _build_arg_parser()
    args = parser.parse_args(argv)

--- a/src/jinjaturtle/core.py
+++ b/src/jinjaturtle/core.py
@ -2,10 +2,10 @@ from __future__ import annotations

 import configparser
 import json
+import xml.etree.ElementTree as ET  # nosec
 import yaml

 from collections import Counter, defaultdict
-from defusedxml import ElementTree as ET
 from pathlib import Path
 from typing import Any, Iterable

@ -103,8 +103,7 @@ def parse_config(path: Path, fmt: str | None = None) -> tuple[str, Any]:

    if fmt == "xml":
        text = path.read_text(encoding="utf-8")
-        parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False))
-        root = ET.fromstring(text, parser=parser)
+        root = ET.fromstring(text) # nosec B314
        return fmt, root

    raise ValueError(f"Unsupported config format: {fmt}")
@ -868,8 +867,10 @@ def _generate_xml_template_from_text(role_prefix: str, text: str) -> str:
    prolog, body = _split_xml_prolog(text)

    # Parse with comments included so <!-- --> are preserved
-    parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=True))
-    root = ET.fromstring(body, parser=parser)
+    # defusedxml.defuse_stdlib() is called in CLI entrypoint
+    parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=True))  # nosec B314
+    parser.feed(body)
+    root = parser.close()

    _apply_jinja_to_xml_tree(role_prefix, root)

--- a/tests/test_core.py
+++ b/tests/test_core.py
@ -1,11 +1,11 @@
 from __future__ import annotations

-from defusedxml import ElementTree as ET
 from pathlib import Path
 import configparser
 import pytest
 import textwrap
 import yaml
+import xml.etree.ElementTree as ET

 import jinjaturtle.core as core
 from jinjaturtle.core import (
@ -566,8 +566,7 @@ def test_generate_template_xml_structural_fallback():
        </root>
        """
    )
-    parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False))
-    root = ET.fromstring(xml_text, parser=parser)
+    root = ET.fromstring(xml_text)

    tmpl = generate_template("xml", parsed=root, role_prefix="role")

@ -643,8 +642,7 @@ def test_flatten_xml_text_with_attributes_uses_value_suffix():
    the text at path + ('value',), not just path.
    """
    xml_text = "<root><node attr='x'>text</node></root>"
-    parser = ET.XMLParser(target=ET.TreeBuilder(insert_comments=False))
-    root = ET.fromstring(xml_text, parser=parser)
+    root = ET.fromstring(xml_text)

    items = flatten_config("xml", root)
Author	SHA1	Message	Date
Miguel Jacq	3840b71812	Satisfy the needs of defusedxml.defuse_stdlib() whilst still retaining functionality and passing tests Some checks failed CI / test (push) Successful in 40s Details Lint / test (push) Failing after 23s Details Trivy / test (push) Successful in 23s Details	2025-11-27 15:21:17 +11:00
Miguel Jacq	910234ed65	use defusedxml, silence bandit warnings	2025-11-27 15:10:45 +11:00
Miguel Jacq	9faa2d2e2e	Revert "Use defusedxml" This reverts commit `1a7359fc3c`.	2025-11-27 15:01:40 +11:00