[Security audit] Harden CalDAV/WebCal remote fetch and XML parsing #15

Closed
opened 2026-07-13 20:10:47 +02:00 by zemion · 1 comment
Owner

Semgrep/Bandit flag calendar remote fetches and XML parsing in CalDAV/WebCal code.

Source report: /mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260713-1949

Observed locations:

  • src/govoplan_calendar/backend/caldav.py
  • src/govoplan_calendar/backend/service.py

Acceptance criteria:

  • Ensure all remote calendar URLs are absolute HTTP(S), with host, without embedded credentials.
  • Replace stdlib XML parsing of remote CalDAV responses with defusedxml or an equivalent hardened parser.
  • Keep CalDAV discovery and sync behavior covered by tests.
  • Add narrow scanner suppressions only after the safe parsing/fetch path is explicit.
<!-- codex-security-audit-fingerprint:security-audit-20260713-calendar-caldav-webcal-hardening --> Semgrep/Bandit flag calendar remote fetches and XML parsing in CalDAV/WebCal code. Source report: `/mnt/DATA/git/govoplan/audit-reports/govoplan-full-20260713-1949` Observed locations: - `src/govoplan_calendar/backend/caldav.py` - `src/govoplan_calendar/backend/service.py` Acceptance criteria: - Ensure all remote calendar URLs are absolute HTTP(S), with host, without embedded credentials. - Replace stdlib XML parsing of remote CalDAV responses with `defusedxml` or an equivalent hardened parser. - Keep CalDAV discovery and sync behavior covered by tests. - Add narrow scanner suppressions only after the safe parsing/fetch path is explicit.
Author
Owner

Codex State: done

Summary

  • Removed remaining stdlib XML imports from calendar backend parsing paths; parsing continues through defusedxml SafeElementTree.
  • Added narrow Bandit B310 suppressions to URL-open lines after immediate HTTP(S) validation.

Changed Files

  • src/govoplan_calendar/backend/caldav.py
  • src/govoplan_calendar/backend/service.py

Verification

  • /mnt/DATA/git/govoplan/.venv/bin/python -m py_compile src/govoplan_calendar/backend/caldav.py src/govoplan_calendar/backend/service.py
  • git diff --check -- src/govoplan_calendar/backend/caldav.py src/govoplan_calendar/backend/service.py
  • PYTHONPATH=/mnt/DATA/git/govoplan-calendar/src:/mnt/DATA/git/govoplan-tenancy/src:/mnt/DATA/git/govoplan-access/src:/mnt/DATA/git/govoplan-core/src /mnt/DATA/git/govoplan/.venv/bin/python -m unittest discover -s /mnt/DATA/git/govoplan-calendar/tests

Next / Blocked

  • Verify with next containerized Bandit/Semgrep run.
## Codex State: done ### Summary - Removed remaining stdlib XML imports from calendar backend parsing paths; parsing continues through defusedxml SafeElementTree. - Added narrow Bandit B310 suppressions to URL-open lines after immediate HTTP(S) validation. ### Changed Files - `src/govoplan_calendar/backend/caldav.py` - `src/govoplan_calendar/backend/service.py` ### Verification - `/mnt/DATA/git/govoplan/.venv/bin/python -m py_compile src/govoplan_calendar/backend/caldav.py src/govoplan_calendar/backend/service.py` - `git diff --check -- src/govoplan_calendar/backend/caldav.py src/govoplan_calendar/backend/service.py` - `PYTHONPATH=/mnt/DATA/git/govoplan-calendar/src:/mnt/DATA/git/govoplan-tenancy/src:/mnt/DATA/git/govoplan-access/src:/mnt/DATA/git/govoplan-core/src /mnt/DATA/git/govoplan/.venv/bin/python -m unittest discover -s /mnt/DATA/git/govoplan-calendar/tests` ### Next / Blocked - Verify with next containerized Bandit/Semgrep run.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-calendar#15
No description provided.