community[major]: lint for usage of xml library (#22132)

* Lint for usage of standard xml library * Add forced opt-in for quip client * Actual security issue is with underlying QuipClient not LangChain integration (since the client is doing the parsing), but adding enforcement at the LangChain level.
2025-09-06 13:33:37 +00:00 · 2024-05-24 11:23:53 -04:00
parent 5b5ea2af30
commit d3db83abe3
2 changed files with 29 additions and 5 deletions
--- a/libs/community/langchain_community/document_loaders/quip.py
+++ b/libs/community/langchain_community/document_loaders/quip.py
@@ -1,10 +1,9 @@
 import logging
 import re
-import xml.etree.cElementTree
-import xml.sax.saxutils
+import xml.etree.cElementTree  # OK: user-must-opt-in
 from io import BytesIO
 from typing import List, Optional, Sequence
-from xml.etree.ElementTree import ElementTree
+from xml.etree.ElementTree import ElementTree  # OK: user-must-opt-in

 from langchain_core.documents import Document

@@ -22,14 +21,20 @@ class QuipLoader(BaseLoader):
    """

    def __init__(
-        self, api_url: str, access_token: str, request_timeout: Optional[int] = 60
+        self,
+        api_url: str,
+        access_token: str,
+        request_timeout: Optional[int] = 60,
+        *,
+        allow_dangerous_xml_parsing: bool = False,
    ):
        """
        Args:
            api_url: https://platform.quip.com
            access_token: token of access quip API. Please refer:
-            https://quip.com/dev/automation/documentation/current#section/Authentication/Get-Access-to-Quip's-APIs
+                https://quip.com/dev/automation/documentation/current#section/Authentication/Get-Access-to-Quip's-APIs
            request_timeout: timeout of request, default 60s.
+            allow_dangerous_xml_parsing: Allow dangerous XML parsing, defaults to False
        """
        try:
            from quip_api.quip import QuipClient
@@ -42,6 +47,17 @@ class QuipLoader(BaseLoader):
            access_token=access_token, base_url=api_url, request_timeout=request_timeout
        )

+        if not allow_dangerous_xml_parsing:
+            raise ValueError(
+                "The quip client uses the built-in XML parser which may cause"
+                "security issues when parsing XML data in some cases. "
+                "Please see "
+                "https://docs.python.org/3/library/xml.html#xml-vulnerabilities "
+                "For more information, set `allow_dangerous_xml_parsing` as True "
+                "if you are sure that your distribution of the standard library "
+                "is not vulnerable to XML vulnerabilities."
+            )
+
    def load(
        self,
        folder_ids: Optional[List[str]] = None,