-
-
Notifications
You must be signed in to change notification settings - Fork 326
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v.in.wfs: improve error message for ServiceException #4812
v.in.wfs: improve error message for ServiceException #4812
Conversation
the current one said that the downloaded XML cannot be found - report the meaningful content of service exception report instead
Any idea why does the Python Code Quality check complain It is imported this way everywhere around the code (and it is the common way). If we are going to change it here to comply with the quality check, we should change it everywhere in order not to use inconsistent aliases. |
Do we really use defused xml here? I don't remember seeing it in the deps listed and installed. And for your question on why it "fails", it's related to the default settings of: Lines 394 to 397 in 8b5c6f9
Listed here: https://docs.astral.sh/ruff/settings/#lintflake8-import-conventions Where I'm not saying that using defusedxml is wrong, you are right that this code should be the right thing. There are multiple places where we use the Python library's xml parser where we are warned, with bandit, CodeQL, and the Python docs, that it is not enough and should be using an external library like defusedxml.
|
That last discussion makes me think it might not be as pressing as I initially thought, and maybe not as much as an official recommendation, but a single (but valid) opinion at a time. |
Cool, thanks for the explanation. As for the use of decodexml -- I fully agree with you. I originally used just the native Python |
I think you could ignore the warning like we did with the others of existing code. We'd need to take a position on this at one point, where would it be discussed though? It's not something to fall on your shoulders and this PR. |
This reverts commit e2d4ef1.
The commit introducing defusedxml reverted.
Shall I open an issue for that? Or shall we have an internal discussion to avoid discussing vulnerabilities openly and bringing more attention to them (which we have already done, ehm)? |
You could if you'd want, what are our channels for these kinds of internal discussions? |
I do not know if we have any official channel/way to handle this. The last security meeting was called internally by a meeting just through e-mails. |
Wouldn't it be possible to use |
Indeed, if I understand correctly, they copied the entire stdlib (concerning xml), and adapted from there. At least that's how it started |
If there is an specific report or concern, the most straightforward would be to report security vulnerability using the dedicated channel as described in our Security Policy: https://github.com/OSGeo/grass/security. The links do different things depending on people's access rights, but all should lead you to https://github.com/OSGeo/grass/security/advisories/new (a reported vulnerability is potentially turned into an advisory). |
the current one said that the downloaded XML cannot be found (not really what was going on) - this one reports the meaningful content of the service exception report instead