Skip to content

fix: catch defusedxml security errors #1138

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 7, 2025
Merged

fix: catch defusedxml security errors #1138

merged 3 commits into from
Aug 7, 2025

Conversation

benmss
Copy link
Member

@benmss benmss commented Aug 4, 2025

Summary

This PR fixes an uncaught exception that can be triggered by XML files with restricted content.

Description of changes

When searching for repositories for Maven projects, Macaron must parse the contents of the related POM files in the XML format. Use of the defusedxml library addresses the various security concerns this parsing involves, but the exceptions these cases can raise have not yet been accounted for.

This PR makes a small adjustment to the pomparser module, extending the catch clause to include the defusedxml security related exceptions.
A unit test has also been included with examples of valid and invalid XML files.

@benmss benmss self-assigned this Aug 4, 2025
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Aug 4, 2025
@benmss benmss added the bug Something isn't working label Aug 4, 2025
@benmss benmss marked this pull request as ready for review August 5, 2025 00:15
@benmss benmss requested review from behnazh-w and tromai as code owners August 5, 2025 00:15
@behnazh-w behnazh-w requested a review from nicallen August 5, 2025 06:29
tromai
tromai reviewed Aug 5, 2025
View reviewed changes
tromai
tromai reviewed Aug 5, 2025
View reviewed changes
@benmss benmss force-pushed the benmss/fix-xml-parse-error branch from 1fa7ed6 to 5d1495e Compare August 6, 2025 05:32
benmss added 3 commits August 7, 2025 10:05
@benmss
fix: catch defusedxml security errors
803f56f 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: update test doc comments
dcb5fe5 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss
chore: use distinct log message
f7a1274 
Signed-off-by: Ben Selwyn-Smith <benselwynsmith@googlemail.com>
@benmss benmss force-pushed the benmss/fix-xml-parse-error branch from 5d1495e to f7a1274 Compare August 7, 2025 00:07
@benmss benmss merged commit 6329041 into main Aug 7, 2025
8 checks passed
@benmss benmss deleted the benmss/fix-xml-parse-error branch August 7, 2025 02:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicallen nicallen nicallen approved these changes

@behnazh-w behnazh-w behnazh-w approved these changes

+1 more reviewer

@tromai tromai tromai approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@benmss benmss

Labels

bug Something isn't working OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@benmss @nicallen @behnazh-w @tromai