Enable use-defusedxml; add description

pixee · Oct 24, 2023 · a534257 · a534257
1 parent fd5d355
commit a534257
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 0 deletions.
diff --git a/ci_tests/test_pygoat_findings.py b/ci_tests/test_pygoat_findings.py
@@ -12,6 +12,7 @@
     "pixee:python/harden-pyyaml",
     "pixee:python/django-debug-flag-on",
     "pixee:python/url-sandbox",
+    "pixee:python/use-defusedxml",
     "pixee:python/use-walrus-if",
 ]
 

diff --git a/src/codemodder/scripts/generate_docs.py b/src/codemodder/scripts/generate_docs.py
@@ -110,6 +110,10 @@ class DocMetadata:
 +resp = safe_requests.get.get(url, allowed_protocols=("ftp",))
 ```""",
     ),
+    "use-defusedxml": DocMetadata(
+        importance="High",
+        guidance_explained="We believe this change is safe and effective and guards against serious XML vulnerabilities. You should review this code before merging to make sure the dependency has been properly added to your project.",
+    ),
     "use-walrus-if": DocMetadata(
         importance="Low",
         guidance_explained="We believe that using the walrus operator is an improvement in terms of clarity and readability. However, this change is only compatible with codebases that support Python 3.8 and later, so it requires quick validation before merging.",

diff --git a/src/core_codemods/__init__.py b/src/core_codemods/__init__.py
@@ -21,6 +21,7 @@
 from .upgrade_sslcontext_minimum_version import UpgradeSSLContextMinimumVersion
 from .upgrade_sslcontext_tls import UpgradeSSLContextTLS
 from .url_sandbox import UrlSandbox
+from .use_defused_xml import UseDefusedXml
 from .use_walrus_if import UseWalrusIf
 from .with_threading_lock import WithThreadingLock
 
@@ -50,6 +51,7 @@
         UpgradeSSLContextMinimumVersion,
         UpgradeSSLContextTLS,
         UrlSandbox,
+        UseDefusedXml,
         UseWalrusIf,
         WithThreadingLock,
     ],

diff --git a/src/core_codemods/docs/pixee_python_use-defusedxml.md b/src/core_codemods/docs/pixee_python_use-defusedxml.md
@@ -0,0 +1,24 @@
+You might be surprised to learn that Python's standard library XML libraries are
+[considered insecure](https://docs.python.org/3/library/xml.html#xml-vulnerabilities)
+against various kinds of attacks.
+
+In fact, the [Python documentation
+itself](https://docs.python.org/3/library/xml.html#the-defusedxml-package)
+recommends the use of [defusedxml](https://pypi.org/project/defusedxml/) for
+parsing untrusted XML data. `defusedxml` is an
+[open-source](https://github.com/tiran/defusedxml), permissively licensed
+project that is intended as a drop-in replacement for Python's standard library
+XML parsers.
+
+This codemod updates all relevant uses of the standard library parsers with
+safe versions from `defusedxml`. It also adds the `defusedxml` dependency to
+your project where possible.
+
+The changes from this codemod look like this:
+```diff
+- from xml.etree.ElementTree import parse
++ import defusedxml.ElementTree
+
+- et = parse('data.xml')
++ et = defusedxml.ElementTree.parse('data.xml')
+```