Used defusedxml to protect against XML vulnerabilities

2018-10-25 13:57:21 +03:00 · 2018-10-25 13:57:21 +03:00 · f4bf3bac2a
parent 2142888cbe
commit f4bf3bac2a
2 changed files with 10 additions and 1 deletions
--- a/setup.py
+++ b/setup.py
@ -17,6 +17,7 @@ EXTRAS_REQUIRE = {
    'qrcode': ['qrcode'],
    'sound;platform_system=="Windows"': ['winsound'],
    'tor': ['stem'],
+    'xml': ['defusedxml'],
    'docs': ['sphinx', 'sphinxcontrib-apidoc', 'm2r']
 }

--- a/src/api.py
+++ b/src/api.py
@ -17,10 +17,10 @@ import random  # nosec
 import socket
 import subprocess
 import time
+import xmlrpclib
 from binascii import hexlify, unhexlify
 from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler, SimpleXMLRPCServer
 from struct import pack
-import xmlrpclib

 import defaults
 import helper_inbox
@ -46,6 +46,14 @@ from inventory import Inventory
 from network.threads import StoppableThread
 from version import softwareVersion

+try:  # TODO: write tests for XML vulnerabilities
+    from defusedxml.xmlrpc import monkey_patch
+except ImportError:
+    logger.warning(
+        'defusedxml not available, only use API on a secure, closed network.')
+else:
+    monkey_patch()
+
 str_chan = '[chan]'
 str_broadcast_subscribers = '[Broadcast subscribers]'