RH-FMK / skt / 1257 / 1

66%

master: 66%

push

travis-ci

Use defusedxml for XML parsing

In theory, a user can pass a maliciously crafted XML, exploiting the
server/testing side. While currently it means they would exploit their
own infrastructure, if in the future there is a publicly available
service allowing people to run eg. custom tests or pass their own
Beaker XMLs, the possibility to expoit the organization running the
service grows exponentially.

xml.ElementTree is safe against external entity expansion, DTD retrieval
and decompression bomb, but not against exponential entity expansion or
quadratic blowup entity expansion. defusedxml provides a modified
fromstring method for parsing untrusted XMLs, to prevent the exploits
original ElementTree is not protected against.

Signed-off-by: Veronika Kabatova <vkabatov@redhat.com>

309 of 525 branches covered (58.86%)

Branch coverage included in aggregate %.

997 of 1438 relevant lines covered (69.33%)

0.69 hits per line