From 57c030be98d30a105342324951ed1b733992f94f Mon Sep 17 00:00:00 2001 From: ReimarBauer Date: Fri, 13 Dec 2024 13:55:24 +0100 Subject: [PATCH 1/4] some fixes --- mslib/msui/flighttrack.py | 9 +++++---- mslib/mswms/mpl_lsec.py | 2 +- mslib/mswms/mpl_vsec.py | 2 +- mslib/mswms/wms.py | 2 +- mslib/utils/__init__.py | 3 ++- 5 files changed, 10 insertions(+), 8 deletions(-) diff --git a/mslib/msui/flighttrack.py b/mslib/msui/flighttrack.py index cc6d51467..97cfe4c99 100644 --- a/mslib/msui/flighttrack.py +++ b/mslib/msui/flighttrack.py @@ -39,8 +39,9 @@ import os import fs -import xml.dom.minidom -import xml.parsers.expat +import xml.dom.minidom # nosec +import defusedxml.minidom +from defusedxml import DefusedXmlException from PyQt5 import QtGui, QtCore, QtWidgets @@ -97,8 +98,8 @@ def seconds_to_string(seconds): def load_from_xml_data(xml_content, name="Flight track"): try: - doc = xml.dom.minidom.parseString(xml_content) - except xml.parsers.expat.ExpatError as ex: + doc = defusedxml.minidom.parseString(xml_content) + except DefusedXmlException as ex: raise SyntaxError(str(ex)) ft_el = doc.getElementsByTagName("FlightTrack")[0] diff --git a/mslib/mswms/mpl_lsec.py b/mslib/mswms/mpl_lsec.py index d7235ff40..5e647a4f7 100644 --- a/mslib/mswms/mpl_lsec.py +++ b/mslib/mswms/mpl_lsec.py @@ -27,7 +27,7 @@ # style definitions should be put in mpl_lsec_styles.py import logging -from xml.dom.minidom import getDOMImplementation +from xml.dom.minidom import getDOMImplementation # nosec import matplotlib as mpl from pint import Quantity diff --git a/mslib/mswms/mpl_vsec.py b/mslib/mswms/mpl_vsec.py index 842e311fc..c540dceea 100644 --- a/mslib/mswms/mpl_vsec.py +++ b/mslib/mswms/mpl_vsec.py @@ -33,7 +33,7 @@ import logging import numpy as np from abc import abstractmethod -from xml.dom.minidom import getDOMImplementation +from xml.dom.minidom import getDOMImplementation # nosec import matplotlib as mpl from matplotlib.backends.backend_agg import FigureCanvasAgg as FigureCanvas import mpl_toolkits.axes_grid1 diff --git a/mslib/mswms/wms.py b/mslib/mswms/wms.py index a95664e66..01fe8b265 100644 --- a/mslib/mswms/wms.py +++ b/mslib/mswms/wms.py @@ -52,7 +52,7 @@ import werkzeug import urllib.parse -from xml.etree import ElementTree +from defusedxml import ElementTree from chameleon import PageTemplateLoader from owslib.crs import axisorder_yx from PIL import Image diff --git a/mslib/utils/__init__.py b/mslib/utils/__init__.py index f6bb11e64..c5f56df0b 100644 --- a/mslib/utils/__init__.py +++ b/mslib/utils/__init__.py @@ -85,9 +85,10 @@ def setup_logging(args): logger.addHandler(fh) +# ToDo likly this can be removed in python 3 because that uses unicode # modified Version from minidom, https://github.com/python/cpython/blob/2.7/Lib/xml/dom/minidom.py # MSS needed to change all writings as unicode not str -from xml.dom.minidom import _write_data, Node +from xml.dom.minidom import _write_data, Node # nosec # Copyright © 2001-2018 Python Software Foundation. All rights reserved. # Copyright © 2000 BeOpen.com. All rights reserved. From b2fa2d0ad36a0d9c8f592e8e6580df92973f5907 Mon Sep 17 00:00:00 2001 From: ReimarBauer Date: Fri, 13 Dec 2024 15:57:05 +0100 Subject: [PATCH 2/4] linter --- mslib/utils/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mslib/utils/__init__.py b/mslib/utils/__init__.py index c5f56df0b..bbc40dbae 100644 --- a/mslib/utils/__init__.py +++ b/mslib/utils/__init__.py @@ -85,7 +85,7 @@ def setup_logging(args): logger.addHandler(fh) -# ToDo likly this can be removed in python 3 because that uses unicode +# ToDo likely this can be removed in python 3 because that uses unicode # modified Version from minidom, https://github.com/python/cpython/blob/2.7/Lib/xml/dom/minidom.py # MSS needed to change all writings as unicode not str from xml.dom.minidom import _write_data, Node # nosec From 2c79bdbcb51a6169d95986c34b947f3222f672f1 Mon Sep 17 00:00:00 2001 From: ReimarBauer Date: Mon, 13 Jan 2025 17:13:28 +0100 Subject: [PATCH 3/4] improved --- mslib/msui/flighttrack.py | 6 +++--- mslib/msui/kmloverlay_dockwidget.py | 7 ++++++- mslib/mswms/mpl_lsec.py | 4 ++-- mslib/mswms/mpl_vsec.py | 4 ++-- mslib/utils/__init__.py | 5 +++-- 5 files changed, 16 insertions(+), 10 deletions(-) diff --git a/mslib/msui/flighttrack.py b/mslib/msui/flighttrack.py index 97cfe4c99..faad972fa 100644 --- a/mslib/msui/flighttrack.py +++ b/mslib/msui/flighttrack.py @@ -39,7 +39,7 @@ import os import fs -import xml.dom.minidom # nosec +import xml.dom.minidom import defusedxml.minidom from defusedxml import DefusedXmlException @@ -56,7 +56,7 @@ from mslib.msui.performance_settings import DEFAULT_PERFORMANCE from mslib.utils import writexml -xml.dom.minidom.Element.writexml = writexml +xml.dom.minidom.Element.writexml = writexml # nosec We take care of writing correct xml # Constants for identifying the table columns when the WaypointsTableModel is # used with a QTableWidget. LOCATION, LAT, LON, FLIGHTLEVEL, PRESSURE = list(range(5)) @@ -616,7 +616,7 @@ def save_to_ftml(self, filename=None): file_dir.close() def get_xml_doc(self): - doc = xml.dom.minidom.Document() + doc = xml.dom.minidom.Document() # nosec We take care of writing correct xml ft_el = doc.createElement("FlightTrack") ft_el.setAttribute("version", __version__) doc.appendChild(ft_el) diff --git a/mslib/msui/kmloverlay_dockwidget.py b/mslib/msui/kmloverlay_dockwidget.py index 660fd0f7d..8fa243ec1 100644 --- a/mslib/msui/kmloverlay_dockwidget.py +++ b/mslib/msui/kmloverlay_dockwidget.py @@ -601,8 +601,13 @@ def merge_file(self): for index in checked_files: # index is the indices of checked files _dirname, _name = os.path.split(self.listWidget.item(index).text()) _fs = fs.open_fs(_dirname) + # Create a secure XML Parser + secure_parser = et.XMLParser(resolve_entities=False, no_network=True) + # resolve_entities False, prevents entity expansion + # no_network, prevents automatically loading remote documents + # https://gist.github.com/jack-om/f2c762f399e6ee652f05320921ece4c9 with _fs.open(_name, 'r') as kmlf: - tree = et.parse(kmlf) # parse kml file + tree = et.parse(kmlf, parser=secure_parser) # nosec parse KML file using the secured parser root = tree.getroot() # get the root of the file self.remove_ns(root) # removes and element.append(copy.deepcopy(root[0])) diff --git a/mslib/mswms/mpl_lsec.py b/mslib/mswms/mpl_lsec.py index 5e647a4f7..2fea223a6 100644 --- a/mslib/mswms/mpl_lsec.py +++ b/mslib/mswms/mpl_lsec.py @@ -27,7 +27,7 @@ # style definitions should be put in mpl_lsec_styles.py import logging -from xml.dom.minidom import getDOMImplementation # nosec +from xml.dom.minidom import getDOMImplementation import matplotlib as mpl from pint import Quantity @@ -92,7 +92,7 @@ def plot_lsection(self, data, lats, lons, valid_time, init_time): # Derive additional data fields and make the plot. self._prepare_datafields() - impl = getDOMImplementation() + impl = getDOMImplementation() # nosec This is used to create and write a new XML document xmldoc = impl.createDocument(None, "MSS_LinearSection_Data", None) # Title of this section. diff --git a/mslib/mswms/mpl_vsec.py b/mslib/mswms/mpl_vsec.py index c540dceea..65f09612f 100644 --- a/mslib/mswms/mpl_vsec.py +++ b/mslib/mswms/mpl_vsec.py @@ -33,7 +33,7 @@ import logging import numpy as np from abc import abstractmethod -from xml.dom.minidom import getDOMImplementation # nosec +from xml.dom.minidom import getDOMImplementation import matplotlib as mpl from matplotlib.backends.backend_agg import FigureCanvasAgg as FigureCanvas import mpl_toolkits.axes_grid1 @@ -285,7 +285,7 @@ def plot_vsection(self, data, lats, lons, valid_time, init_time, # ========================================================================= elif mime_type == "text/xml": - impl = getDOMImplementation() + impl = getDOMImplementation() # nosec This is used to create and write a new XML document xmldoc = impl.createDocument(None, "MSS_VerticalSection_Data", None) # Title of this section. diff --git a/mslib/utils/__init__.py b/mslib/utils/__init__.py index bbc40dbae..24d0616c9 100644 --- a/mslib/utils/__init__.py +++ b/mslib/utils/__init__.py @@ -88,7 +88,7 @@ def setup_logging(args): # ToDo likely this can be removed in python 3 because that uses unicode # modified Version from minidom, https://github.com/python/cpython/blob/2.7/Lib/xml/dom/minidom.py # MSS needed to change all writings as unicode not str -from xml.dom.minidom import _write_data, Node # nosec +from xml.dom.minidom import _write_data, Node # Copyright © 2001-2018 Python Software Foundation. All rights reserved. # Copyright © 2000 BeOpen.com. All rights reserved. @@ -103,11 +103,12 @@ def writexml(self, writer, indent="", addindent="", newl=""): for a_name in sorted(attrs.keys()): writer.write(" %s=\"" % a_name) - _write_data(writer, attrs[a_name].value) + _write_data(writer, attrs[a_name].value) # nosec We take care of writing correct xml writer.write("\"") if self.childNodes: writer.write(">") if (len(self.childNodes) == 1 and self.childNodes[0].nodeType == Node.TEXT_NODE): + # nosec, we take care of writing correct xml self.childNodes[0].writexml(writer, '', '', '') else: writer.write(newl) From 9a0daa60dd60b323f27f71ed4dae196e7f742653 Mon Sep 17 00:00:00 2001 From: ReimarBauer Date: Mon, 13 Jan 2025 17:23:44 +0100 Subject: [PATCH 4/4] punctuation, wording --- mslib/msui/flighttrack.py | 4 ++-- mslib/msui/kmloverlay_dockwidget.py | 2 +- mslib/mswms/mpl_lsec.py | 2 +- mslib/mswms/mpl_vsec.py | 2 +- mslib/utils/__init__.py | 4 ++-- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/mslib/msui/flighttrack.py b/mslib/msui/flighttrack.py index faad972fa..e668fabb4 100644 --- a/mslib/msui/flighttrack.py +++ b/mslib/msui/flighttrack.py @@ -56,7 +56,7 @@ from mslib.msui.performance_settings import DEFAULT_PERFORMANCE from mslib.utils import writexml -xml.dom.minidom.Element.writexml = writexml # nosec We take care of writing correct xml +xml.dom.minidom.Element.writexml = writexml # nosec, we take care of writing correct XML # Constants for identifying the table columns when the WaypointsTableModel is # used with a QTableWidget. LOCATION, LAT, LON, FLIGHTLEVEL, PRESSURE = list(range(5)) @@ -616,7 +616,7 @@ def save_to_ftml(self, filename=None): file_dir.close() def get_xml_doc(self): - doc = xml.dom.minidom.Document() # nosec We take care of writing correct xml + doc = xml.dom.minidom.Document() # nosec, we take care of writing correct XML ft_el = doc.createElement("FlightTrack") ft_el.setAttribute("version", __version__) doc.appendChild(ft_el) diff --git a/mslib/msui/kmloverlay_dockwidget.py b/mslib/msui/kmloverlay_dockwidget.py index 8fa243ec1..6ea52753d 100644 --- a/mslib/msui/kmloverlay_dockwidget.py +++ b/mslib/msui/kmloverlay_dockwidget.py @@ -607,7 +607,7 @@ def merge_file(self): # no_network, prevents automatically loading remote documents # https://gist.github.com/jack-om/f2c762f399e6ee652f05320921ece4c9 with _fs.open(_name, 'r') as kmlf: - tree = et.parse(kmlf, parser=secure_parser) # nosec parse KML file using the secured parser + tree = et.parse(kmlf, parser=secure_parser) # nosec, parse using the secured parser root = tree.getroot() # get the root of the file self.remove_ns(root) # removes and element.append(copy.deepcopy(root[0])) diff --git a/mslib/mswms/mpl_lsec.py b/mslib/mswms/mpl_lsec.py index 2fea223a6..e36a7ec7c 100644 --- a/mslib/mswms/mpl_lsec.py +++ b/mslib/mswms/mpl_lsec.py @@ -92,7 +92,7 @@ def plot_lsection(self, data, lats, lons, valid_time, init_time): # Derive additional data fields and make the plot. self._prepare_datafields() - impl = getDOMImplementation() # nosec This is used to create and write a new XML document + impl = getDOMImplementation() # nosec, this is used to create and write a new XML document xmldoc = impl.createDocument(None, "MSS_LinearSection_Data", None) # Title of this section. diff --git a/mslib/mswms/mpl_vsec.py b/mslib/mswms/mpl_vsec.py index 65f09612f..d872335a5 100644 --- a/mslib/mswms/mpl_vsec.py +++ b/mslib/mswms/mpl_vsec.py @@ -285,7 +285,7 @@ def plot_vsection(self, data, lats, lons, valid_time, init_time, # ========================================================================= elif mime_type == "text/xml": - impl = getDOMImplementation() # nosec This is used to create and write a new XML document + impl = getDOMImplementation() # nosec, this is used to create and write a new XML document xmldoc = impl.createDocument(None, "MSS_VerticalSection_Data", None) # Title of this section. diff --git a/mslib/utils/__init__.py b/mslib/utils/__init__.py index 24d0616c9..0dc45d77e 100644 --- a/mslib/utils/__init__.py +++ b/mslib/utils/__init__.py @@ -103,12 +103,12 @@ def writexml(self, writer, indent="", addindent="", newl=""): for a_name in sorted(attrs.keys()): writer.write(" %s=\"" % a_name) - _write_data(writer, attrs[a_name].value) # nosec We take care of writing correct xml + _write_data(writer, attrs[a_name].value) # nosec, we take care of writing correct XML writer.write("\"") if self.childNodes: writer.write(">") if (len(self.childNodes) == 1 and self.childNodes[0].nodeType == Node.TEXT_NODE): - # nosec, we take care of writing correct xml + # nosec, we take care of writing correct XML self.childNodes[0].writexml(writer, '', '', '') else: writer.write(newl)