saml_idp(minor): rewrite to use defusedxml instead of bs4

2019-10-04 09:50:25 +02:00 · 2019-10-04 09:50:25 +02:00 · 2b8fed8f4e
parent c7322a32a0
commit 2b8fed8f4e
3 changed files with 14 additions and 12 deletions
--- a/passbook/policy/engine.py
+++ b/passbook/policy/engine.py
@ -1,15 +1,15 @@
 """passbook policy engine"""
 from multiprocessing import Pipe
 from multiprocessing.connection import Connection
-from typing import List, Tuple, Tuple
+from typing import List, Tuple

 from django.core.cache import cache
 from django.http import HttpRequest
 from structlog import get_logger

 from passbook.core.models import Policy, User
+from passbook.policy.struct import PolicyRequest, PolicyResult
 from passbook.policy.task import PolicyTask
-from passbook.policy.struct import PolicyResult, PolicyRequest

 LOGGER = get_logger()

--- a/passbook/policy/struct.py
+++ b/passbook/policy/struct.py
@ -1,16 +1,18 @@
 """policy structs"""
-from typing import List
+from typing import TYPE_CHECKING, List

 from django.http import HttpRequest

+if TYPE_CHECKING:
+    from passbook.core.models import User

 class PolicyRequest:
    """Data-class to hold policy request data"""

-    user: 'passbook.core.models.User'
+    user: 'User'
    http_request: HttpRequest

-    def __init__(self, user: 'passbook.core.models.User'):
+    def __init__(self, user: 'User'):
        self.user = user

    def __str__(self):
--- a/passbook/saml_idp/base.py
+++ b/passbook/saml_idp/base.py
@ -3,7 +3,7 @@
 import time
 import uuid

-from bs4 import BeautifulSoup
+from defusedxml import ElementTree
 from structlog import get_logger

 from passbook.saml_idp import exceptions, utils, xml_render
@ -204,13 +204,13 @@ class Processor:
        if not str(self._request_xml.strip()).startswith('<'):
            raise Exception('RequestXML is not valid XML; '
                            'it may need to be decoded or decompressed.')
-        soup = BeautifulSoup(self._request_xml, features="xml")
-        request = soup.findAll()[0]
+
+        root = ElementTree.fromstring(self._request_xml)
        params = {}
-        params['ACS_URL'] = request['AssertionConsumerServiceURL']
-        params['REQUEST_ID'] = request['ID']
-        params['DESTINATION'] = request.get('Destination', '')
-        params['PROVIDER_NAME'] = request.get('ProviderName', '')
+        params['ACS_URL'] = root.attrib['AssertionConsumerServiceURL']
+        params['REQUEST_ID'] = root.attrib['ID']
+        params['DESTINATION'] = root.attrib.get('Destination', '')
+        params['PROVIDER_NAME'] = root.attrib.get('ProviderName', '')
        self._request_params = params

    def _reset(self, django_request, sp_config=None):