Module defusedxml.lxml is not fully protected and is deprecated

[glarrain]

We rely on function defusedxml.lxml.fromstring() for our function libs.xml_utils.parse_untrusted_xml(). What should we use instead?

DEPRECATED Example code for lxml.etree protection
The code has NO protection against decompression bombs.

Source

defusedxml.lxml
DEPRECATED The module is deprecated and will be removed in a future release.

Source

CC @jtrh

Alternatives

Perhaps there are others?

• defusedxml.ElementTree.fromstring
• defusedxml.cElementTree.fromstring

[jtrh]

The owner of the defusedxml repository is thinking of ways to solve this issue (the deprecation part, at least): tiran/defusedxml#38 (comment).

Is the function defusedxml.lxml.fromstring() they only part of defusedxml.lxml that we use?

[glarrain]

Is the function defusedxml.lxml.fromstring() they only part of defusedxml.lxml that we use?

Yes. However, since that uses lxml, the XML-related classes that we reference all over the place in that project and others are aliases to lxml classes:

https://github.com/fyndata/lib-cl-sii-python/blob/cde9fe6e09a4e97bee55134c7419eb62fecd5111/cl_sii/libs/xml_utils.py#L31-L34

[jtrh]

SignXML removed the DefusedXML dependency by incorporating its useful parts. See XML-Security/signxml@83c05fb.

[glarrain]

Useful stuff:

• https://github.com/XML-Security/signxml/blob/master/signxml/util/__init__.py
• https://github.com/XML-Security/signxml/blob/83c05fbfdc9efbea0ddc13cd490b423bb772ef5d/signxml/__init__.py#L185-L245