From d083b56f1fed1d8220fc61b762fc09c59ed8b9c0 Mon Sep 17 00:00:00 2001 From: Enrico Minack Date: Fri, 10 Mar 2023 09:31:34 +0100 Subject: [PATCH] Restrict XSLT permissions --- python/publish/nunit.py | 2 +- python/publish/trx.py | 2 +- python/publish/xunit.py | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/python/publish/nunit.py b/python/publish/nunit.py index e128cfc7..8708bf22 100644 --- a/python/publish/nunit.py +++ b/python/publish/nunit.py @@ -6,7 +6,7 @@ from publish.junit import JUnitTree, ParsedJUnitFile, progress_safe_parse_xml_file, xml_has_root_element with (pathlib.Path(__file__).resolve().parent / 'xslt' / 'nunit3-to-junit.xslt').open('r', encoding='utf-8') as r: - transform_nunit_to_junit = etree.XSLT(etree.parse(r)) + transform_nunit_to_junit = etree.XSLT(etree.parse(r), regexp=False, access_control=etree.XSLTAccessControl.DENY_ALL) def is_nunit(path: str) -> bool: diff --git a/python/publish/trx.py b/python/publish/trx.py index f85ab89c..b9d86cdc 100644 --- a/python/publish/trx.py +++ b/python/publish/trx.py @@ -6,7 +6,7 @@ from publish.junit import JUnitTree, ParsedJUnitFile, progress_safe_parse_xml_file, xml_has_root_element with (pathlib.Path(__file__).resolve().parent / 'xslt' / 'trx-to-junit.xslt').open('r', encoding='utf-8') as r: - transform_trx_to_junit = etree.XSLT(etree.parse(r)) + transform_trx_to_junit = etree.XSLT(etree.parse(r), regexp=False, access_control=etree.XSLTAccessControl.DENY_ALL) def is_trx(path: str) -> bool: diff --git a/python/publish/xunit.py b/python/publish/xunit.py index 4d8efde7..ec7c1a8a 100644 --- a/python/publish/xunit.py +++ b/python/publish/xunit.py @@ -6,7 +6,7 @@ from publish.junit import JUnitTree, ParsedJUnitFile, progress_safe_parse_xml_file, xml_has_root_element with (pathlib.Path(__file__).resolve().parent / 'xslt' / 'xunit-to-junit.xslt').open('r', encoding='utf-8') as r: - transform_xunit_to_junit = etree.XSLT(etree.parse(r)) + transform_xunit_to_junit = etree.XSLT(etree.parse(r), regexp=False, access_control=etree.XSLTAccessControl.DENY_ALL) def is_xunit(path: str) -> bool: