I am getting below error in bandit. Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
I want the below code's equivlent with defusedxml.
from lxml import etree, objectify
def fn_read_xml_root(xml_file):
"""
function open xml and remove annotation and return the root node
xml_file : xml file to be parsed
"""
with open(xml_file, "r", encoding="utf-8") as x_file:
xml_data = x_file.read()
parser = etree.XMLParser(remove_blank_text=True)
xtree = etree.parse(xml_file, parser)
xroot = xtree.getroot()
for elem in xroot.getiterator():
if not hasattr(elem.tag, "find"):
continue # (1)
idx = elem.tag.find("}")
if idx >= 0:
elem.tag = elem.tag[idx + 1:]
objectify.deannotate(xroot, cleanup_namespaces=True)
# return xml data and root node of the file
return xml_data, xroot