👽 Replace deprecated defusedxml.lxml module usage

maykinmedia · Jan 25, 2024 · 3ed4a9b · 3ed4a9b
1 parent 1081708
commit 3ed4a9b
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 3 deletions.
diff --git a/digid_eherkenning/saml2/eherkenning.py b/digid_eherkenning/saml2/eherkenning.py
@@ -7,10 +7,9 @@
 from django.urls import reverse
 from django.utils import timezone
 
-from defusedxml.lxml import tostring
 from furl.furl import furl
 from lxml.builder import ElementMaker
-from lxml.etree import Element
+from lxml.etree import Element, tostring
 from OpenSSL import crypto
 
 from ..choices import AssuranceLevels

diff --git a/digid_eherkenning/utils.py b/digid_eherkenning/utils.py
@@ -2,9 +2,10 @@
 
 from django.conf import settings
 
-from defusedxml.lxml import parse
 from lxml import etree
 
+from .xml import parse
+
 
 def get_client_ip(request):
     x_forwarded_for = request.META.get("HTTP_X_FORWARDED_FOR")

diff --git a/digid_eherkenning/xml.py b/digid_eherkenning/xml.py
@@ -0,0 +1,17 @@
+"""
+XML parsing with DTD/Entities blocking.
+
+Inspired by https://github.com/mvantellingen/python-zeep/pull/1179/ as their solution
+for the deprecated defusedxml.lxml module and the defaults applied in defusedxml.lxml.
+"""
+from lxml.etree import XMLParser, parse as _parse
+
+
+def parse(source):
+    """
+    Parse an LXML etree from source without resolving entities.
+
+    Resolving entities is a security risk, which is why we disable it.
+    """
+    parser = XMLParser(resolve_entities=False)
+    return _parse(source, parser)