[Security] Parse WebDAV XML with defusedxml #26

Closed
opened 2026-07-11 12:51:18 +02:00 by zemion · 1 comment
Owner

Bandit flags unsafe XML parsing in WebDAV connector browsing. WebDAV responses are remote/provider-controlled and should use defusedxml.

Classification: immediate local fix.

Report evidence:

  • govoplan-files/src/govoplan_files/backend/storage/connector_browse.py:73.
  • Bandit: B314; Ruff: S314.

Suggested next steps:

  • Use defusedxml.ElementTree.fromstring for WebDAV multistatus parsing.
  • Add defusedxml>=0.7,<1 to files dependencies.
  • Verify parser smoke path.

Baseline report directory: audit-reports/govoplan-full-20260711-1238

<!-- codex-audit-full-2026-07-11:files-xml-defusedxml --> Bandit flags unsafe XML parsing in WebDAV connector browsing. WebDAV responses are remote/provider-controlled and should use defusedxml. Classification: **immediate local fix**. Report evidence: - `govoplan-files/src/govoplan_files/backend/storage/connector_browse.py:73`. - Bandit: `B314`; Ruff: `S314`. Suggested next steps: - Use `defusedxml.ElementTree.fromstring` for WebDAV multistatus parsing. - Add `defusedxml>=0.7,<1` to files dependencies. - Verify parser smoke path. Baseline report directory: `audit-reports/govoplan-full-20260711-1238`
zemion added the
type
bug
priority
p1
status
ready
module/files
codex/ready
labels 2026-07-11 12:51:18 +02:00
Author
Owner

Codex state update: Implemented locally: WebDAV multistatus parsing now uses defusedxml.ElementTree.fromstring, with defusedxml>=0.7,<1 added to pyproject.toml. Verified with py_compile and parser smoke checks.

Codex state update: Implemented locally: WebDAV multistatus parsing now uses `defusedxml.ElementTree.fromstring`, with `defusedxml>=0.7,<1` added to `pyproject.toml`. Verified with py_compile and parser smoke checks.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: add-ideas/govoplan-files#26
No description provided.