andrewmusselman opened a new issue, #763: URL: https://github.com/apache/tooling-trusted-releases/issues/763
**ASVS:** 1.5.1 | **CWE:** CWE-611 | **Severity:** MEDIUM | **Effort:** Low ### Description Three locations use Python's `xml.etree.ElementTree` or `pydantic_xml` without explicit XXE protection: 1. **`atr/shared/distribution.py`** — `ET.fromstring()` parses XML fetched from external Maven repository URLs. This is the highest risk since the XML source is external and partially user-influenced. 2. **`atr/tasks/checks/rat.py`** — `ElementTree.parse()` parses Apache RAT XML output. Lower risk (trusted tool output) but defense-in-depth requires hardening. 3. **`atr/svn/__init__.py`** — `pydantic_xml` parses SVN log XML output without explicit lxml hardening. Lowest risk (local command output). ### Remediation 1. Check that Pydantic is XML-safe -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
