You might be surprised to learn that Python's built-in XML libraries are considered insecure against various kinds of attacks.

In fact, the Python documentation itself recommends the use of defusedxml for parsing untrusted XML data. defusedxml is an open-source, permissively licensed project that is intended as a drop-in replacement for Python's standard library XML parsers.

This codemod updates all relevant uses of the standard library parsers with safe versions from defusedxml. It also adds the defusedxml dependency to your project where possible.

The changes from this codemod look like this:

- from xml.etree.ElementTree import parse
+ import defusedxml.ElementTree
- et = parse('data.xml')
+ et = defusedxml.ElementTree.parse('data.xml')

Dependency Updates

This codemod relies on an external dependency. We have automatically added this dependency to your project's setup.py file.

This package is recommended by the Python community to protect against XML vulnerabilities.

There are a number of places where Python project dependencies can be expressed, including setup.py, pyproject.toml, setup.cfg, and requirements.txt files. If this change is incorrect, or if you are using another packaging system such as poetry, it may be necessary for you to manually add the dependency to the proper location in your project.

I have additional improvements ready for this repo! If you want to see them, leave the comment:

@pixeebot next

... and I will open a new PR right away!

Powered by: pixeebot (codemod ID: pixee:python/use-defusedxml)