some fixes for et

mslib/msui/flighttrack.py

@@ -40,7 +40,8 @@
 
 import fs
 import xml.dom.minidom
-import xml.parsers.expat
+import defusedxml.minidom
+from defusedxml import DefusedXmlException
 
 from PyQt5 import QtGui, QtCore, QtWidgets
 
@@ -55,7 +56,7 @@
 from mslib.msui.performance_settings import DEFAULT_PERFORMANCE
 
 from mslib.utils import writexml
-xml.dom.minidom.Element.writexml = writexml
+xml.dom.minidom.Element.writexml = writexml  # nosec, we take care of writing correct XML
 # Constants for identifying the table columns when the WaypointsTableModel is
 # used with a QTableWidget.
 LOCATION, LAT, LON, FLIGHTLEVEL, PRESSURE = list(range(5))
@@ -97,8 +98,8 @@ def seconds_to_string(seconds):
 
 def load_from_xml_data(xml_content, name="Flight track"):
     try:
-        doc = xml.dom.minidom.parseString(xml_content)
-    except xml.parsers.expat.ExpatError as ex:
+        doc = defusedxml.minidom.parseString(xml_content)
+    except DefusedXmlException as ex:
         raise SyntaxError(str(ex))
 
     ft_el = doc.getElementsByTagName("FlightTrack")[0]
@@ -615,7 +616,7 @@ def save_to_ftml(self, filename=None):
         file_dir.close()
 
     def get_xml_doc(self):
-        doc = xml.dom.minidom.Document()
+        doc = xml.dom.minidom.Document()  # nosec, we take care of writing correct XML
         ft_el = doc.createElement("FlightTrack")
         ft_el.setAttribute("version", __version__)
         doc.appendChild(ft_el)

mslib/msui/kmloverlay_dockwidget.py

@@ -601,8 +601,13 @@ def merge_file(self):
                     for index in checked_files:  # index is the indices of checked files
                         _dirname, _name = os.path.split(self.listWidget.item(index).text())
                         _fs = fs.open_fs(_dirname)
+                        # Create a secure XML Parser
+                        secure_parser = et.XMLParser(resolve_entities=False, no_network=True)
+                        # resolve_entities False, prevents entity expansion
+                        # no_network, prevents automatically loading remote documents
+                        # https://gist.github.com/jack-om/f2c762f399e6ee652f05320921ece4c9
                         with _fs.open(_name, 'r') as kmlf:
-                            tree = et.parse(kmlf)  # parse kml file
+                            tree = et.parse(kmlf, parser=secure_parser)  # nosec, parse using the secured parser
                             root = tree.getroot()  # get the root of the file
                             self.remove_ns(root)  # removes <kml> and </kml>
                             element.append(copy.deepcopy(root[0]))

mslib/mswms/mpl_lsec.py

@@ -92,7 +92,7 @@ def plot_lsection(self, data, lats, lons, valid_time, init_time):
         # Derive additional data fields and make the plot.
         self._prepare_datafields()
 
-        impl = getDOMImplementation()
+        impl = getDOMImplementation()  # nosec, this is used to create and write a new XML document
         xmldoc = impl.createDocument(None, "MSS_LinearSection_Data", None)
 
         # Title of this section.

mslib/mswms/mpl_vsec.py

@@ -285,7 +285,7 @@ def plot_vsection(self, data, lats, lons, valid_time, init_time,
         # =========================================================================
         elif mime_type == "text/xml":
 
-            impl = getDOMImplementation()
+            impl = getDOMImplementation()  # nosec, this is used to create and write a new XML document
             xmldoc = impl.createDocument(None, "MSS_VerticalSection_Data", None)
 
             # Title of this section.

mslib/mswms/wms.py

@@ -52,7 +52,7 @@
 import werkzeug
 import urllib.parse
 
-from xml.etree import ElementTree
+from defusedxml import ElementTree
 from chameleon import PageTemplateLoader
 from owslib.crs import axisorder_yx
 from PIL import Image

mslib/utils/__init__.py

@@ -85,6 +85,7 @@ def setup_logging(args):
             logger.addHandler(fh)
 
 
+# ToDo likely this can be removed in python 3 because that uses unicode
 # modified Version from minidom, https://github.com/python/cpython/blob/2.7/Lib/xml/dom/minidom.py
 # MSS needed to change all writings as unicode not str
 from xml.dom.minidom import _write_data, Node
@@ -102,11 +103,12 @@ def writexml(self, writer, indent="", addindent="", newl=""):
 
     for a_name in sorted(attrs.keys()):
         writer.write(" %s=\"" % a_name)
-        _write_data(writer, attrs[a_name].value)
+        _write_data(writer, attrs[a_name].value)  # nosec, we take care of writing correct XML
         writer.write("\"")
     if self.childNodes:
         writer.write(">")
         if (len(self.childNodes) == 1 and self.childNodes[0].nodeType == Node.TEXT_NODE):
+            # nosec, we take care of writing correct XML
             self.childNodes[0].writexml(writer, '', '', '')
         else:
             writer.write(newl)