Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v.in.wfs: improve error message for ServiceException #4812

Merged

Conversation

pesekon2
Copy link
Contributor

@pesekon2 pesekon2 commented Dec 7, 2024

the current one said that the downloaded XML cannot be found (not really what was going on) - this one reports the meaningful content of the service exception report instead

the current one said that the downloaded XML cannot be found - report the meaningful content of service exception report instead
@pesekon2 pesekon2 self-assigned this Dec 7, 2024
@github-actions github-actions bot added vector Related to vector data processing Python Related code is in Python module labels Dec 7, 2024
scripts/v.in.wfs/v.in.wfs.py Show resolved Hide resolved
scripts/v.in.wfs/v.in.wfs.py Show resolved Hide resolved
@pesekon2
Copy link
Contributor Author

pesekon2 commented Dec 7, 2024

Any idea why does the Python Code Quality check complain scripts/v.in.wfs/v.in.wfs.py:230:16: N817 CamelCase ElementTre imported as acronym ET?

It is imported this way everywhere around the code (and it is the common way). If we are going to change it here to comply with the quality check, we should change it everywhere in order not to use inconsistent aliases.

@echoix
Copy link
Member

echoix commented Dec 7, 2024

Do we really use defused xml here? I don't remember seeing it in the deps listed and installed.

And for your question on why it "fails", it's related to the default settings of:

grass/pyproject.toml

Lines 394 to 397 in 8b5c6f9

[tool.ruff.lint.flake8-import-conventions.extend-aliases]
# Declare a custom aliases, checked with rule ICN001
"grass.script" = "gs"

Listed here: https://docs.astral.sh/ruff/settings/#lintflake8-import-conventions

Where "xml.etree.ElementTree": "ET"}. Thus, it is unexpected, as by convention, ET would be the python's library ElementTree.

I'm not saying that using defusedxml is wrong, you are right that this code should be the right thing. There are multiple places where we use the Python library's xml parser where we are warned, with bandit, CodeQL, and the Python docs, that it is not enough and should be using an external library like defusedxml.

@echoix
Copy link
Member

echoix commented Dec 7, 2024

That last discussion makes me think it might not be as pressing as I initially thought, and maybe not as much as an official recommendation, but a single (but valid) opinion at a time.

@pesekon2
Copy link
Contributor Author

pesekon2 commented Dec 8, 2024

And for your question on why it "fails", it's related to the default settings of:

grass/pyproject.toml

Lines 394 to 397 in 8b5c6f9

[tool.ruff.lint.flake8-import-conventions.extend-aliases]
# Declare a custom aliases, checked with rule ICN001
"grass.script" = "gs"

Listed here: https://docs.astral.sh/ruff/settings/#lintflake8-import-conventions

Where "xml.etree.ElementTree": "ET"}. Thus, it is unexpected, as by convention, ET would be the python's library ElementTree.

Cool, thanks for the explanation.

As for the use of decodexml -- I fully agree with you. I originally used just the native Python xml package. I switched to defusedxml in e2d4ef1 because github-advanced-security bot complained. What do you think would be the best solution? Shall we just ignore the warning and switch back to xml (which we use in multiple other places)? Because it is true that defusedxml is not between the dependencies - I encountered it in so many places in other places I actually thought it is already in native Python...

@echoix
Copy link
Member

echoix commented Dec 10, 2024

I think you could ignore the warning like we did with the others of existing code. We'd need to take a position on this at one point, where would it be discussed though? It's not something to fall on your shoulders and this PR.

@pesekon2
Copy link
Contributor Author

pesekon2 commented Dec 11, 2024

I think you could ignore the warning like we did with the others of existing code.

The commit introducing defusedxml reverted.

We'd need to take a position on this at one point, where would it be discussed though? It's not something to fall on your shoulders and this PR.

Shall I open an issue for that? Or shall we have an internal discussion to avoid discussing vulnerabilities openly and bringing more attention to them (which we have already done, ehm)?

@echoix
Copy link
Member

echoix commented Dec 11, 2024

We'd need to take a position on this at one point, where would it be discussed though? It's not something to fall on your shoulders and this PR.

Shall I open an issue for that? Or shall we have an internal discussion to avoid discussing vulnerabilities openly and bringing more attention to them (which we have already done, ehm)?

You could if you'd want, what are our channels for these kinds of internal discussions?

@pesekon2
Copy link
Contributor Author

what are our channels for these kinds of internal discussions?

I do not know if we have any official channel/way to handle this. The last security meeting was called internally by a meeting just through e-mails.

@pesekon2 pesekon2 merged commit 60ad5a7 into OSGeo:main Dec 12, 2024
26 checks passed
@pesekon2 pesekon2 deleted the v_in_wfs_improve_error_msg_for_serviceexception branch December 12, 2024 10:14
@github-actions github-actions bot added this to the 8.5.0 milestone Dec 12, 2024
@nilason
Copy link
Contributor

nilason commented Dec 12, 2024

Wouldn't it be possible to use defusedxml if available otherwise use the core xml, they seem to have identical API? If often used in code, we could also consider creating a wrapper.

@echoix
Copy link
Member

echoix commented Dec 12, 2024

Wouldn't it be possible to use defusedxml if available otherwise use the core xml, they seem to have identical API? If often used in code, we could also consider creating a wrapper.

Indeed, if I understand correctly, they copied the entire stdlib (concerning xml), and adapted from there. At least that's how it started

@wenzeslaus
Copy link
Member

...what are our channels for these kinds of internal discussions?

If there is an specific report or concern, the most straightforward would be to report security vulnerability using the dedicated channel as described in our Security Policy: https://github.com/OSGeo/grass/security. The links do different things depending on people's access rights, but all should lead you to https://github.com/OSGeo/grass/security/advisories/new (a reported vulnerability is potentially turned into an advisory).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
module Python Related code is in Python vector Related to vector data processing
Projects
Development

Successfully merging this pull request may close these issues.

4 participants