community[major]: lint for usage of xml library (#22132)

* Lint for usage of standard xml library
* Add forced opt-in for quip client
* Actual security issue is with underlying QuipClient not LangChain
integration (since the client is doing the parsing), but adding
enforcement at the LangChain level.

libs/community/scripts/lint_imports.sh

@@ -8,6 +8,14 @@ errors=0
 # make sure not importing from langchain or langchain_experimental
 git --no-pager grep '^from langchain_experimental\.' . && errors=$((errors+1))
 
+# make sure no one is importing from the built-in xml library
+# instead defusedxml should be used to avoid getting CVEs.
+# Whether the standary library actually poses a risk to users
+# is very nuanced and dependns on user's environment.
+# https://docs.python.org/3/library/xml.etree.elementtree.html
+git --no-pager grep '^from xml\.' . | grep -vE "# OK: user-must-opt-in" && errors=$((errors+1))
+git --no-pager grep '^import xml\.' . | grep -vE "# OK: user-must-opt-in" && errors=$((errors+1))
+
 # Decide on an exit status based on the errors
 if [ "$errors" -gt 0 ]; then
     exit 1