openedx.core.lib.safe_lxml package#
Submodules#
openedx.core.lib.safe_lxml.conftest module#
Code run by pytest before running any tests in the safe_lxml directory.
openedx.core.lib.safe_lxml.etree module#
Safer version of lxml.etree.
It overrides some unsafe functions from lxml.etree with safer versions from defusedxml. It also includes a safer XMLParser.
For processing xml always prefer this over using lxml.etree directly.
- class openedx.core.lib.safe_lxml.etree.XMLParser(*args, **kwargs)#
Bases:
XMLParserA safer version of XMLParser which by default disables entity resolution.
openedx.core.lib.safe_lxml.xmlparser module#
lxml.etree protection
- class openedx.core.lib.safe_lxml.xmlparser.GlobalParserTLS#
Bases:
_localThread local context for custom parser instances
- create_default_parser()#
Create a secure XMLParser using the restricted element class.
- element_class#
alias of
RestrictedElement
- get_default_parser()#
Return the thread-local default parser, creating it if missing.
- parser_config = {'resolve_entities': False}#
- set_default_parser(parser)#
Store a thread-local default XML parser instance.
- class openedx.core.lib.safe_lxml.xmlparser.RestrictedElement#
Bases:
ElementBaseA restricted Element class that filters out instances of some classes
- blacklist = (<class 'lxml.etree._Entity'>, <class 'lxml.etree._ProcessingInstruction'>, <class 'lxml.etree._Comment'>)#
- getchildren()#
Return a list of non-blacklisted child elements.
- getiterator(tag=None)#
Iterate over the tree with blacklisted nodes filtered out.
- iter(tag=None, *tags)#
Iterate over the element tree excluding blacklisted nodes.
- iterchildren(tag=None, reversed=False)#
Iterate over child elements while excluding blacklisted nodes.
- iterdescendants(tag=None, *tags)#
Iterate over descendants while filtering out blacklisted nodes.
- itersiblings(tag=None, preceding=False)#
Iterate over siblings excluding blacklisted node types.
- openedx.core.lib.safe_lxml.xmlparser.XML(text, parser=None, base_url=None, forbid_dtd=False, forbid_entities=True)#
Securely parse XML from a string and validate docinfo.
- openedx.core.lib.safe_lxml.xmlparser.check_docinfo(elementtree, forbid_dtd=False, forbid_entities=True)#
Check docinfo of an element tree for DTD and entity declarations The check for entity declarations needs lxml 3 or newer. lxml 2.x does not support dtd.iterentities().
- openedx.core.lib.safe_lxml.xmlparser.fromstring(text, parser=None, base_url=None, forbid_dtd=False, forbid_entities=True)#
Securely parse XML from a string and validate docinfo.
- openedx.core.lib.safe_lxml.xmlparser.get_default_parser()#
Return the thread-local default parser, creating it if missing.
- openedx.core.lib.safe_lxml.xmlparser.iterparse(*args, **kwargs)#
Disabled XML iterparse function that always raises NotSupportedError.
- openedx.core.lib.safe_lxml.xmlparser.parse(source, parser=None, base_url=None, forbid_dtd=False, forbid_entities=True)#
Securely parse XML from a source and enforce DTD/entity restrictions.
Module contents#
Defuse vulnerabilities in XML packages.
- openedx.core.lib.safe_lxml.defuse_xml_libs()#
Monkey patch and defuse all stdlib xml packages and lxml.