Skip to content

Commit 921d554

Browse files
jacalatajacalata
committed
Use defusedxml library to reduce xml attack surface (#1002)
 replace ET.fromstring with defusedxml.fromstring
1 parent 213a70c commit 921d554

File tree

104 files changed

+417
-389
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

104 files changed

+417
-389
lines changed

setup.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,7 @@
3333
test_suite='test',
3434
setup_requires=pytest_runner,
3535
install_requires=[
36+
'defusedxml>=0.7.1',
3637
'requests>=2.11,<3.0',
3738
],
3839
tests_require=test_requirements,

tableauserverclient/__init__.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
from .namespace import NEW_NAMESPACE as DEFAULT_NAMESPACE
1+
from ._version import get_versions
22
from .models import (
33
ConnectionCredentials,
44
ConnectionItem,
@@ -37,6 +37,7 @@
3737
FlowRunItem,
3838
RevisionItem,
3939
)
40+
from .namespace import NEW_NAMESPACE as DEFAULT_NAMESPACE
4041
from .server import (
4142
RequestOptions,
4243
CSVRequestOptions,
@@ -50,7 +51,6 @@
5051
NotSignedInError,
5152
Pager,
5253
)
53-
from ._version import get_versions
5454

5555
__version__ = get_versions()["version"]
5656
__VERSION__ = __version__

tableauserverclient/models/__init__.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,16 @@
1+
from .column_item import ColumnItem
12
from .connection_credentials import ConnectionCredentials
23
from .connection_item import ConnectionItem
3-
from .column_item import ColumnItem
44
from .data_acceleration_report_item import DataAccelerationReportItem
55
from .data_alert_item import DataAlertItem
6-
from .datasource_item import DatasourceItem
76
from .database_item import DatabaseItem
7+
from .datasource_item import DatasourceItem
88
from .dqw_item import DQWItem
99
from .exceptions import UnpopulatedPropertyError
1010
from .favorites_item import FavoriteItem
11-
from .group_item import GroupItem
1211
from .flow_item import FlowItem
1312
from .flow_run_item import FlowRunItem
13+
from .group_item import GroupItem
1414
from .interval_item import (
1515
IntervalItem,
1616
DailyInterval,
@@ -20,20 +20,20 @@
2020
)
2121
from .job_item import JobItem, BackgroundJobItem
2222
from .pagination_item import PaginationItem
23+
from .permissions_item import PermissionsRule, Permission
24+
from .personal_access_token_auth import PersonalAccessTokenAuth
25+
from .personal_access_token_auth import PersonalAccessTokenAuth
2326
from .project_item import ProjectItem
27+
from .revision_item import RevisionItem
2428
from .schedule_item import ScheduleItem
2529
from .server_info_item import ServerInfoItem
2630
from .site_item import SiteItem
31+
from .subscription_item import SubscriptionItem
32+
from .table_item import TableItem
2733
from .tableau_auth import TableauAuth
28-
from .personal_access_token_auth import PersonalAccessTokenAuth
2934
from .target import Target
30-
from .table_item import TableItem
3135
from .task_item import TaskItem
3236
from .user_item import UserItem
3337
from .view_item import ViewItem
34-
from .workbook_item import WorkbookItem
35-
from .subscription_item import SubscriptionItem
36-
from .permissions_item import PermissionsRule, Permission
3738
from .webhook_item import WebhookItem
38-
from .personal_access_token_auth import PersonalAccessTokenAuth
39-
from .revision_item import RevisionItem
39+
from .workbook_item import WorkbookItem

tableauserverclient/models/column_item.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
import xml.etree.ElementTree as ET
1+
from defusedxml.ElementTree import fromstring
22

33
from .property_decorators import property_not_empty
44

@@ -47,7 +47,7 @@ def _set_values(self, id, name, description, remote_type):
4747
@classmethod
4848
def from_response(cls, resp, ns):
4949
all_column_items = list()
50-
parsed_response = ET.fromstring(resp)
50+
parsed_response = fromstring(resp)
5151
all_column_xml = parsed_response.findall(".//t:column", namespaces=ns)
5252

5353
for column_xml in all_column_xml:

tableauserverclient/models/connection_item.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
1-
import xml.etree.ElementTree as ET
1+
from defusedxml.ElementTree import fromstring
2+
23
from .connection_credentials import ConnectionCredentials
34

45

@@ -39,7 +40,7 @@ def __repr__(self):
3940
@classmethod
4041
def from_response(cls, resp, ns):
4142
all_connection_items = list()
42-
parsed_response = ET.fromstring(resp)
43+
parsed_response = fromstring(resp)
4344
all_connection_xml = parsed_response.findall(".//t:connection", namespaces=ns)
4445
for connection_xml in all_connection_xml:
4546
connection_item = cls()

tableauserverclient/models/data_acceleration_report_item.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
import xml.etree.ElementTree as ET
1+
from defusedxml.ElementTree import fromstring
22

33

44
class DataAccelerationReportItem(object):
@@ -70,7 +70,7 @@ def _parse_element(comparison_record_xml, ns):
7070
@classmethod
7171
def from_response(cls, resp, ns):
7272
comparison_records = list()
73-
parsed_response = ET.fromstring(resp)
73+
parsed_response = fromstring(resp)
7474
all_comparison_records_xml = parsed_response.findall(".//t:comparisonRecord", namespaces=ns)
7575
for comparison_record_xml in all_comparison_records_xml:
7676
(

tableauserverclient/models/data_alert_item.py

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1,15 +1,12 @@
1-
import xml.etree.ElementTree as ET
1+
from typing import List, Optional, TYPE_CHECKING
2+
3+
from defusedxml.ElementTree import fromstring
24

35
from .property_decorators import (
46
property_not_empty,
57
property_is_enum,
68
property_is_boolean,
79
)
8-
from .user_item import UserItem
9-
from .view_item import ViewItem
10-
11-
12-
from typing import List, Optional, TYPE_CHECKING
1310

1411
if TYPE_CHECKING:
1512
from datetime import datetime
@@ -181,7 +178,7 @@ def _set_values(
181178
@classmethod
182179
def from_response(cls, resp, ns) -> List["DataAlertItem"]:
183180
all_alert_items = list()
184-
parsed_response = ET.fromstring(resp)
181+
parsed_response = fromstring(resp)
185182
all_alert_xml = parsed_response.findall(".//t:dataAlert", namespaces=ns)
186183

187184
for alert_xml in all_alert_xml:

tableauserverclient/models/database_item.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
1-
import xml.etree.ElementTree as ET
1+
from defusedxml.ElementTree import fromstring
22

3+
from .exceptions import UnpopulatedPropertyError
34
from .property_decorators import (
45
property_is_enum,
56
property_not_empty,
67
property_is_boolean,
78
)
8-
from .exceptions import UnpopulatedPropertyError
99

1010

1111
class DatabaseItem(object):
@@ -254,7 +254,7 @@ def _set_data_quality_warnings(self, dqw):
254254
@classmethod
255255
def from_response(cls, resp, ns):
256256
all_database_items = list()
257-
parsed_response = ET.fromstring(resp)
257+
parsed_response = fromstring(resp)
258258
all_database_xml = parsed_response.findall(".//t:database", namespaces=ns)
259259

260260
for database_xml in all_database_xml:

tableauserverclient/models/datasource_item.py

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
1+
import copy
12
import xml.etree.ElementTree as ET
3+
from typing import Dict, List, Optional, Set, Tuple, TYPE_CHECKING
4+
5+
from defusedxml.ElementTree import fromstring
6+
27
from .exceptions import UnpopulatedPropertyError
38
from .property_decorators import (
49
property_not_nullable,
@@ -7,9 +12,6 @@
712
)
813
from .tag_item import TagItem
914
from ..datetime_helpers import parse_datetime
10-
import copy
11-
12-
from typing import Dict, List, Optional, Set, Tuple, TYPE_CHECKING, Union
1315

1416
if TYPE_CHECKING:
1517
from .permissions_item import PermissionsRule
@@ -189,7 +191,7 @@ def _set_revisions(self, revisions):
189191

190192
def _parse_common_elements(self, datasource_xml, ns):
191193
if not isinstance(datasource_xml, ET.Element):
192-
datasource_xml = ET.fromstring(datasource_xml).find(".//t:datasource", namespaces=ns)
194+
datasource_xml = fromstring(datasource_xml).find(".//t:datasource", namespaces=ns)
193195
if datasource_xml is not None:
194196
(
195197
ask_data_enablement,
@@ -294,7 +296,7 @@ def _set_values(
294296
@classmethod
295297
def from_response(cls, resp: str, ns: Dict) -> List["DatasourceItem"]:
296298
all_datasource_items = list()
297-
parsed_response = ET.fromstring(resp)
299+
parsed_response = fromstring(resp)
298300
all_datasource_xml = parsed_response.findall(".//t:datasource", namespaces=ns)
299301

300302
for datasource_xml in all_datasource_xml:

tableauserverclient/models/dqw_item.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
1-
import xml.etree.ElementTree as ET
1+
from defusedxml.ElementTree import fromstring
2+
23
from ..datetime_helpers import parse_datetime
34

45

@@ -98,7 +99,7 @@ def updated_at(self, value):
9899

99100
@classmethod
100101
def from_response(cls, resp, ns):
101-
return cls.from_xml_element(ET.fromstring(resp), ns)
102+
return cls.from_xml_element(fromstring(resp), ns)
102103

103104
@classmethod
104105
def from_xml_element(cls, parsed_response, ns):

0 commit comments

Comments
 (0)