File tree Expand file tree Collapse file tree 6 files changed +83
-1
lines changed Expand file tree Collapse file tree 6 files changed +83
-1
lines changed Original file line number Diff line number Diff line change 66from xml .etree .ElementTree import Element # nosec B405
77
88import defusedxml .ElementTree
9+ from defusedxml import DefusedXmlException
910from defusedxml .ElementTree import fromstring
1011
1112logger : logging .Logger = logging .getLogger (__name__ )
@@ -31,4 +32,6 @@ def parse_pom_string(pom_string: str) -> Element | None:
3132 return pom
3233 except defusedxml .ElementTree .ParseError as error :
3334 logger .debug ("Failed to parse XML: %s" , error )
34- return None
35+ except DefusedXmlException as error :
36+ logger .debug ("POM rejected due to possible security issues: %s" , error )
37+ return None
Original file line number Diff line number Diff line change 1+ # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2+ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
Original file line number Diff line number Diff line change 1+ <?xml version =" 1.0" encoding =" ISO-8859-1"
2+ <!DOCTYPE xml [<!ENTITY quot " " "
Original file line number Diff line number Diff line change 1+ <?xml
Original file line number Diff line number Diff line change 1+ <?xml version =" 1.0" encoding =" UTF-8"
2+ <project xmlns =" http://maven.apache.org/POM/4.0.0"
3+ xmlns : xsi =" http://www.w3.org/2001/XMLSchema-instance"
4+ xsi : schemaLocation =" http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"
5+ <modelVersion >4.0.0</modelVersion >
6+ <groupId >com.oracle.database.xml</groupId >
7+ <artifactId >xdb</artifactId >
8+ <version >23.9.0.25.07</version >
9+ <packaging >jar</packaging >
10+
11+ <!--
12+ xdb.jar: Support for the JDBC 4.x standard java.sql.SQLXML interface.
13+ Note: xdb6.jar is a legacy name, xdb.jar is the new name.
14+ Refer to "List of Artifacts (BOM)" section of the Maven Central Guide
15+ https://www.oracle.com/database/technologies/maven-central-guide.html#artifacts
16+ -->
17+ <name >xdb</name >
18+ <description >Support for the JDBC 4.x standard java.sql.SQLXML interface</description >
19+ <url >https://www.oracle.com/database/technologies/maven-central-guide.html</url >
20+ <inceptionYear >1997</inceptionYear >
21+
22+ <licenses >
23+ <license >
24+ <name >Oracle Free Use Terms and Conditions (FUTC)</name >
25+ <url >https://www.oracle.com/downloads/licenses/oracle-free-license.html</url >
26+ </license >
27+ </licenses >
28+
29+ <developers >
30+ <developer >
31+ <organization >Oracle America, Inc.</organization >
32+ <organizationUrl >http://www.oracle.com</organizationUrl >
33+ </developer >
34+ </developers >
35+
36+ <scm >
37+ <url >https://github.com/oracle</url >
38+ </scm >
39+
40+ </project >
Original file line number Diff line number Diff line change 1+ # Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
2+ # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
3+
4+ """
5+ This module tests the POM parser.
6+ """
7+
8+ import os
9+ from pathlib import Path
10+
11+ import pytest
12+
13+ from macaron .parsers .pomparser import parse_pom_string as parse
14+
15+ RESOURCES_DIR = Path (__file__ ).parent .joinpath ("resources" )
16+
17+
18+ def test_pomparser_parse () -> None :
19+ """Test parsing a valid XML file."""
20+ with open (os .path .join (RESOURCES_DIR , "valid.xml" ), encoding = "utf8" ) as file :
21+ assert parse (file .read ())
22+
23+
24+ @pytest .mark .parametrize (
25+ "file_name" ,
26+ [
27+ "forbidden_entity.xml" ,
28+ "invalid.xml" ,
29+ ],
30+ )
31+ def test_pomparser_parse_invalid (file_name : str ) -> None :
32+ """Test parsing invalid XML files."""
33+ with open (os .path .join (RESOURCES_DIR , file_name ), encoding = "utf8" ) as file :
34+ assert not parse (file .read ())
You can’t perform that action at this time.
0 commit comments