misc: Bandit scan issue for lxml

This patch is to fix Bandit scan issue b313-b320 which is vulnerable to XML attacks when parsing untrusted XML data. I replace lxml.etree with the equivalent defusedxml package. I confirm it works after making a Bandit scan, building the configurator and compiling the acrn. Signed-off-by: dongpingx <dongpingx.wu@intel.com> Tracked-On: #8717
2025-11-19 19:04:02 +00:00 · 2024-08-28 16:42:02 +08:00
parent 8c8dfdca9a
commit 6f96614e6f
16 changed files with 53 additions and 49 deletions
--- a/misc/config_tools/static_allocators/main.py
+++ b/misc/config_tools/static_allocators/main.py
@@ -7,6 +7,7 @@

 import sys, os
 import lxml.etree
+from defusedxml.lxml import parse, fromstring
 import argparse
 sys.path.append(os.path.join(os.path.dirname(os.path.abspath(__file__)), '..', 'library'))
 import acrn_config_utilities
@@ -22,9 +23,9 @@ def main(args):
    scripts_path = os.path.dirname(os.path.realpath(__file__))
    current = os.path.basename(__file__)

-    board_etree = lxml.etree.parse(args.board)
-    scenario_etree = lxml.etree.parse(args.scenario)
-    allocation_etree = lxml.etree.ElementTree(element=lxml.etree.fromstring("<acrn-config></acrn-config>"))
+    board_etree = parse(args.board)
+    scenario_etree = parse(args.scenario)
+    allocation_etree = lxml.etree.ElementTree(element=fromstring("<acrn-config></acrn-config>"))
    for script in sorted([f for f in os.listdir(scripts_path) if f.endswith(".py") and f != current]):
        module_name = os.path.splitext(script)[0]
        module = import_module(f"{module_name}")