andre/crewAI
1
0
Fork 0
mirror of https://github.com/crewAIInc/crewAI.git synced 2026-04-12 22:12:37 +00:00
Code Issues Actions 5 Packages Projects Releases Wiki Activity
Files
506155b4f4e9d7784fb75ef96bf859d65024b663
crewAI/lib
History
Devin AI 506155b4f4 fix: replace xml.etree.ElementTree with defusedxml to prevent XXE attacks 
Addresses #4865 - The native Python xml library is vulnerable to XML
External Entity (XXE) attacks that can leak confidential data and XML
bombs that can cause denial of service.

Changes:
- Replace xml.etree.ElementTree with defusedxml.ElementTree in xml_loader.py
- Replace xml.etree.ElementTree with defusedxml.ElementTree in arxiv_paper_tool.py
- Add defusedxml~=0.7.1 as a dependency in crewai-tools pyproject.toml
- Update arxiv_paper_tool_test.py to use defusedxml
- Replace WebPageLoader tests in test_xml_loader.py with proper XMLLoader tests
- Add XXE attack tests (entity expansion, billion laughs, parameter entities)
- Remove noqa: S314 comments since defusedxml is safe

Co-Authored-By: João <joao@crewai.com>
2026-03-14 05:24:39 +00:00
..
crewai
feat: bump versions to 1.10.2rc2
2026-03-14 00:34:12 -04:00
crewai-files
feat: bump versions to 1.10.2rc2
2026-03-14 00:34:12 -04:00
crewai-tools
fix: replace xml.etree.ElementTree with defusedxml to prevent XXE attacks
2026-03-14 05:24:39 +00:00
devtools
feat: bump versions to 1.10.2rc2
2026-03-14 00:34:12 -04:00