From 2b8fed8f4e94452bc1c3a94a5adade27a16b017b Mon Sep 17 00:00:00 2001 From: "Langhammer, Jens" Date: Fri, 4 Oct 2019 09:50:25 +0200 Subject: [PATCH] saml_idp(minor): rewrite to use defusedxml instead of bs4 --- passbook/policy/engine.py | 4 ++-- passbook/policy/struct.py | 8 +++++--- passbook/saml_idp/base.py | 14 +++++++------- 3 files changed, 14 insertions(+), 12 deletions(-) diff --git a/passbook/policy/engine.py b/passbook/policy/engine.py index 57f2e8daa..5e36c98c8 100644 --- a/passbook/policy/engine.py +++ b/passbook/policy/engine.py @@ -1,15 +1,15 @@ """passbook policy engine""" from multiprocessing import Pipe from multiprocessing.connection import Connection -from typing import List, Tuple, Tuple +from typing import List, Tuple from django.core.cache import cache from django.http import HttpRequest from structlog import get_logger from passbook.core.models import Policy, User +from passbook.policy.struct import PolicyRequest, PolicyResult from passbook.policy.task import PolicyTask -from passbook.policy.struct import PolicyResult, PolicyRequest LOGGER = get_logger() diff --git a/passbook/policy/struct.py b/passbook/policy/struct.py index 091eeea34..0d13f00d3 100644 --- a/passbook/policy/struct.py +++ b/passbook/policy/struct.py @@ -1,16 +1,18 @@ """policy structs""" -from typing import List +from typing import TYPE_CHECKING, List from django.http import HttpRequest +if TYPE_CHECKING: + from passbook.core.models import User class PolicyRequest: """Data-class to hold policy request data""" - user: 'passbook.core.models.User' + user: 'User' http_request: HttpRequest - def __init__(self, user: 'passbook.core.models.User'): + def __init__(self, user: 'User'): self.user = user def __str__(self): diff --git a/passbook/saml_idp/base.py b/passbook/saml_idp/base.py index 151ed9f0d..cc215e2c0 100644 --- a/passbook/saml_idp/base.py +++ b/passbook/saml_idp/base.py @@ -3,7 +3,7 @@ import time import uuid -from bs4 import BeautifulSoup +from defusedxml import ElementTree from structlog import get_logger from passbook.saml_idp import exceptions, utils, xml_render @@ -204,13 +204,13 @@ class Processor: if not str(self._request_xml.strip()).startswith('<'): raise Exception('RequestXML is not valid XML; ' 'it may need to be decoded or decompressed.') - soup = BeautifulSoup(self._request_xml, features="xml") - request = soup.findAll()[0] + + root = ElementTree.fromstring(self._request_xml) params = {} - params['ACS_URL'] = request['AssertionConsumerServiceURL'] - params['REQUEST_ID'] = request['ID'] - params['DESTINATION'] = request.get('Destination', '') - params['PROVIDER_NAME'] = request.get('ProviderName', '') + params['ACS_URL'] = root.attrib['AssertionConsumerServiceURL'] + params['REQUEST_ID'] = root.attrib['ID'] + params['DESTINATION'] = root.attrib.get('Destination', '') + params['PROVIDER_NAME'] = root.attrib.get('ProviderName', '') self._request_params = params def _reset(self, django_request, sp_config=None):