andre/crewAI
1
0
Fork 0
mirror of https://github.com/crewAIInc/crewAI.git synced 2026-05-04 16:52:37 +00:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

fix: replace xml.etree.ElementTree with defusedxml to prevent XXE attacks

Browse Source 
Addresses #4865 - The native Python xml library is vulnerable to XML
External Entity (XXE) attacks that can leak confidential data and XML
bombs that can cause denial of service.

Changes:
- Replace xml.etree.ElementTree with defusedxml.ElementTree in xml_loader.py
- Replace xml.etree.ElementTree with defusedxml.ElementTree in arxiv_paper_tool.py
- Add defusedxml~=0.7.1 as a dependency in crewai-tools pyproject.toml
- Update arxiv_paper_tool_test.py to use defusedxml
- Replace WebPageLoader tests in test_xml_loader.py with proper XMLLoader tests
- Add XXE attack tests (entity expansion, billion laughs, parameter entities)
- Remove noqa: S314 comments since defusedxml is safe

Co-Authored-By: João <joao@crewai.com>
This commit is contained in:
Devin AI
2026-03-14 05:24:39 +00:00
parent e1d7de0dba
commit 506155b4f4
5 changed files with 188 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/crewai-tools/tests/tools/arxiv_paper_tool_test.py
View File

@@ -1,7 +1,7 @@
from pathlib import Path
from unittest.mock import MagicMock, patch
import urllib.error
import xml.etree.ElementTree as ET
import defusedxml.ElementTree as ET
from crewai_tools import ArxivPaperTool
import pytest