Implement codemod for replacing unsafe xml methods with defusedxml #76
Conversation
drdavella
force-pushed
the
use-defused-xml
branch
from
0d0cca6 to
f5b024c
Compare
Codecov Report
@@ Coverage Diff @@
## main #76 +/- ##
==========================================
+ Coverage 96.21% 96.33% +0.12%
==========================================
Files 46 48 +2
Lines 1824 1885 +61
==========================================
+ Hits 1755 1816 +61
Misses 69 69
|
drdavella
force-pushed
the
use-defused-xml
branch
from
f5b024c to
9180544
Compare
| """ | ||
|
|
||
| new_code = f""" | ||
| from xml.etree.{module} import ElementPath |
There was a problem hiding this comment.
this line is unused so I would've expected the remove import visitor to have removed it
There was a problem hiding this comment.
That's an interesting point...
There was a problem hiding this comment.
will this be something you can resolve now or ticket for later?
There was a problem hiding this comment.
I'll ticket it for later; I don't think it directly is a result of this PR.
| # it is a simple name, e.g. call() -> module.new_call() | ||
| return self.update_simple_name( | ||
| true_name, original_node, updated_node, new_args | ||
| ) |
There was a problem hiding this comment.
Just a small clarification om this bit of code here.
Within the context of https codemod this comment and logic was accurate. But this may not be general enough.
Consider:
from lib import call
call()We have the option to simply change the call...
from lib import call
import lib2
lib2.call2()or changing the call and import:
from lib2 import call2
call2()The second has an advantage of not having a possibly useless import (not much of a problem since we have a codemod to amend that). Then again, then reason why I've favored the first one for the https codemod was because the change became more explicit.
The second transformation is a bit harder to do but within the realm of possibility. Just tell me if you want me to support that.
There was a problem hiding this comment.
@andrecsilva that makes sense. It might be good to revisit at some point but right now I like that the updated call becomes completely explicit.
drdavella
force-pushed
the
use-defused-xml
branch
from
9180544 to
747f723
Compare
drdavella
force-pushed
the
use-defused-xml
branch
from
747f723 to
cb5c10a
Compare
|
|
||
| METADATA_DEPENDENCIES = (PositionProvider,) | ||
|
|
||
| matching_functions = { | ||
| matching_functions: set[str] = { |
There was a problem hiding this comment.
You could have this be a keys-only dict. It would feel more consistent.
There was a problem hiding this comment.
I'm not aware of any such construct; do you just mean a dict where the values are None?
drdavella
force-pushed
the
use-defused-xml
branch
from
cb5c10a to
4bd530c
Compare
|
Codecov is upset but I don't think I actually changed the coverage here; I just refactored some previously uncovered lines into a new file that it doesn't recognize. |
| @@ -43,7 +43,7 @@ class CsvListAction(argparse.Action): | |||
| argparse Action to convert "a,b,c" into ["a", "b", "c"] | |||
| """ | |||
|
|
|||
| def __call__(self, parser, namespace, values: str, option_string=None): | |||
| def __call__(self, parser, namespace, values, option_string=None): | |||
There was a problem hiding this comment.
I think this was mypy, right? Isn't it weird that we fix a typing problem by ... removing typing?
There was a problem hiding this comment.
Yeah I (wrongly) introduced this on a previous PR when mypy wasn't working for me. The underlying code itself is not typed correctly and I thought adding this would fix it (but it does not).
drdavella
force-pushed
the
use-defused-xml
branch
from
4bd530c to
08735a5
Compare
Overview
Implement codemod for replacing unsafe
xmlmethods withdefusedxmlDescription
xmlmodules as unsafe and recommends the use ofdefusedxml, which is a third-party packagexmlwith safe ones fromdefusedxmlhttps-connectioncodemodNext Steps
defusedxmldependency. I am leaving this as separate work because I want to make sure we are adding a good CodeTF comment as well, which requires some additional infrastructure.