From 668ae810480ea29013c81e56739eef916095a31d Mon Sep 17 00:00:00 2001
From: "Yang,Yu-chu" <yu-chu.yang@intel.com>
Date: Thu, 29 Jul 2021 14:02:50 -0700
Subject: [PATCH] config-tools: replace xml.etree.ElementTree with
 defusedxml.ElementTree

Using xml.etree.ElementTree to parse the untrusted data is known to
raise security issue. Replaced it using defusedxml.

Tracked-On: #6342
Signed-off-by: Yang,Yu-chu <yu-chu.yang@intel.com>
---
 doc/getting-started/building-from-source.rst | 2 +-
 doc/getting-started/getting-started.rst      | 2 +-
 misc/config_tools/config_app/requirements    | 1 +
 misc/config_tools/library/common.py          | 2 +-
 4 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/doc/getting-started/building-from-source.rst b/doc/getting-started/building-from-source.rst
index f9d768c7a..fbe84247e 100644
--- a/doc/getting-started/building-from-source.rst
+++ b/doc/getting-started/building-from-source.rst
@@ -80,7 +80,7 @@ ACRN.
           xsltproc \
           clang-format
 
-     sudo pip3 install lxml xmlschema
+     sudo pip3 install lxml xmlschema defusedxml
 
      wget https://acpica.org/sites/acpica/files/acpica-unix-20210105.tar.gz
      tar zxvf acpica-unix-20210105.tar.gz
diff --git a/doc/getting-started/getting-started.rst b/doc/getting-started/getting-started.rst
index 57fbdb122..4c7e9c8eb 100644
--- a/doc/getting-started/getting-started.rst
+++ b/doc/getting-started/getting-started.rst
@@ -180,7 +180,7 @@ Build the ACRN Hypervisor on Ubuntu
         xsltproc \
         clang-format
 
-      $ sudo pip3 install lxml xmlschema
+      $ sudo pip3 install lxml xmlschema defusedxml
 
 #. Starting with the ACRN v2.2 release, we use the ``iasl`` tool to
    compile an offline ACPI binary for pre-launched VMs while building ACRN,
diff --git a/misc/config_tools/config_app/requirements b/misc/config_tools/config_app/requirements
index 58ee72a30..ba971b134 100644
--- a/misc/config_tools/config_app/requirements
+++ b/misc/config_tools/config_app/requirements
@@ -2,3 +2,4 @@ Flask==1.1.1
 flask_bootstrap==3.3.7.1
 xmlschema==1.4.1
 lxml==4.6.2
+defusedxml==0.7.1
diff --git a/misc/config_tools/library/common.py b/misc/config_tools/library/common.py
index 7e9c9720f..9c637b9e2 100644
--- a/misc/config_tools/library/common.py
+++ b/misc/config_tools/library/common.py
@@ -8,7 +8,7 @@ import sys
 import getopt
 import shutil
 import subprocess # nosec
-import xml.etree.ElementTree as ET
+import defusedxml.ElementTree as ET
 import re
 import lxml