Merge pull request #151 from 0x41424142/patch

CodeFactor Security Findings
0x41424142 · Oct 7, 2024 · 57af21a · 57af21a
2 parents 2d3a655 + 6db233b
commit 57af21a
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 6 deletions.
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "qualysdk"
-version = "0.1.48"
+version = "0.1.49"
 description = "SDK for interacting with Qualys APIs, across most modules the platform offers."
 authors = ["0x41424142 <jake@jakelindsay.uk>", "0x4A616B65 <jake.lindsay@thermofisher.com>"]
 maintainers = ["Jake Lindsay <jake@jakelindsay.uk>"]
@@ -39,6 +39,7 @@ psycopg2-binary = [
     {version = "^2.9.9", platform = "darwin"},
 ]
 xmltodict = "^0.13.0"
+defusedxml = "^0.7.1"
 
 
 [tool.poetry.urls]

diff --git a/qualysdk/base/xml_parser.py b/qualysdk/base/xml_parser.py
@@ -2,7 +2,8 @@
 xml_parser.py - contains the xml_parser function that parses an XML string into a dictionary.
 """
 
-from lxml import etree
+from lxml.etree import _Comment
+from defusedxml.lxml import fromstring
 
 
 def xml_parser(xml_string, attr_prefix="@", cdata_key="#text"):
@@ -28,7 +29,7 @@ def parse_element(element):
             parsed_dict[attr_prefix + key] = value
         # Parse child elements
         for child in element:
-            if isinstance(child, etree._Comment):
+            if isinstance(child, _Comment):
                 continue  # Skip comments
             child_dict = parse_element(child)
             if child.tag in parsed_dict:
@@ -46,5 +47,5 @@ def parse_element(element):
                 parsed_dict = text
         return parsed_dict
 
-    root = etree.fromstring(xml_string)
+    root = fromstring(xml_string)
     return {root.tag: parse_element(root)}
diff --git a/qualysdk/totalcloud/data_classes/Evaluation.py b/qualysdk/totalcloud/data_classes/Evaluation.py
@@ -30,7 +30,7 @@ def __post_init__(self):
                 try:
                     setattr(self, field, datetime.fromisoformat(value))
                 except:
-                    pass
+                    setattr(self, field, None)
 
     def to_dict(self):
         return asdict(self)