Feat/security improvements (#81)

vinitkumar · web-flow · commit 7c4912d16ab9 · 2021-10-07T02:24:19.000+05:30
* 🔒 refactor: replace xml with defused xml fixes #80, to fix the security attacks that can happen using the xml.dom from stdlib. defusedxml is API compatible and easy to replace that fixes these security issues, so why not. Adds an extra dependency but is worth it. * 🔖 feat: version bump * 🎨 feat: pin dependencies * 📦 feat: packages are installed from a new file
diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml
@@ -25,7 +25,7 @@ jobs:
       run: |
         python -m pip install --upgrade pip
         pip install pytest
-        pip install -r requirements_prod.txt
+        pip install -r requirements.txt
         python setup.py install
     - name: Lint with flake8
       run: |
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,5 @@
 .idea
+.tox
 *.pyc
 json2xml.egg-info
 build
diff --git a/json2xml/__init__.py b/json2xml/__init__.py
@@ -4,7 +4,7 @@
 
 __author__ = """Vinit Kumar"""
 __email__ = "mail@vinitkumar.me"
-__version__ = "3.7.0"
+__version__ = "3.8.0"
 
 
 # from .utils import readfromurl, readfromstring, readfromjson
diff --git a/json2xml/dicttoxml.py b/json2xml/dicttoxml.py
@@ -5,8 +5,7 @@
 import logging
 import numbers
 from random import randint
-from xml.dom.minidom import parseString
-
+from defusedxml.minidom import parseString
 
 from typing import Dict, Any
 
diff --git a/json2xml/json2xml.py b/json2xml/json2xml.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 from typing import Optional, Any
-from xml.dom.minidom import parseString
+from defusedxml.minidom import parseString
 from json2xml import dicttoxml
 
 
diff --git a/requirements.in b/requirements.in
@@ -0,0 +1,5 @@
+requests>=2.20.0
+defusedxml==0.7.1
+pytest
+xmltodict
+
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1,44 @@
+#
+# This file is autogenerated by pip-compile with python 3.7
+# To update, run:
+#
+#    pip-compile
+#
+attrs==21.2.0
+    # via pytest
+certifi==2021.5.30
+    # via requests
+charset-normalizer==2.0.6
+    # via requests
+defusedxml==0.7.1
+    # via -r requirements.in
+idna==3.2
+    # via requests
+importlib-metadata==4.8.1
+    # via
+    #   pluggy
+    #   pytest
+iniconfig==1.1.1
+    # via pytest
+packaging==21.0
+    # via pytest
+pluggy==1.0.0
+    # via pytest
+py==1.10.0
+    # via pytest
+pyparsing==2.4.7
+    # via packaging
+pytest==6.2.5
+    # via -r requirements.in
+requests==2.26.0
+    # via -r requirements.in
+toml==0.10.2
+    # via pytest
+typing-extensions==3.10.0.2
+    # via importlib-metadata
+urllib3==1.26.7
+    # via requests
+xmltodict==0.12.0
+    # via -r requirements.in
+zipp==3.6.0
+    # via importlib-metadata
diff --git a/requirements_dev.txt b/requirements_dev.txt
diff --git a/requirements_prod.txt b/requirements_prod.txt
diff --git a/setup.py b/setup.py
@@ -12,7 +12,7 @@
 with open("HISTORY.rst") as history_file:
     history = history_file.read()
 
-requirements = [open("requirements_prod.txt").read()]
+requirements = [open("requirements.txt").read()]
 
 setup_requirements = []
 
diff --git a/tox.ini b/tox.ini
@@ -1,11 +1,11 @@
 [tox]
-envlist = py27, py34, py35, py36, flake8
+envlist = py38, py39, py310
 
 [travis]
 python =
-    3.6: py36
-    3.5: py35
-    3.4: py34
+    3.9: py39
+    3.8: py38
+    3.10: py310
     2.7: py27
 
 [testenv:flake8]

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`.idea`
	`2`	`+.tox`
`2`	`3`	`*.pyc`
`3`	`4`	`json2xml.egg-info`
`4`	`5`	`build`