build: Harden XML parser in extract_get.py

build: Emable XML DTD filtering in extract_get.py

Gramar validation will prevent noise injection

build: Replace the xml parser used in extract_get.py

The prevents known attack,

Also note that defusedxml (0.7.1) by default
(forbid_entities=True, forbid_external=True, see minidom.py reference)

- forbid_entities: disallow XML with <!ENTITY>
- forbid_dtd: disallow XML with a <!DOCTYPE>
- forbid_external: disallow any access to remote or local resources in external entities or DTD

Minor py3 cleanup added.

Origin: #101
Bug-SiliconLabs: UIC-3662
Relate-to: https://en.wikipedia.org/wiki/Billion_laughs_attack
Relate-to: https://docs.python.org/3/library/xml.html#xml-vulnerabilities
Relate-to: SLVDBBP-3112666
Relate-to: https://pypi.org/project/defusedxml/#billion-laughs-exponential-entity-expansion
Relate-to: SiliconLabsSoftware/z-wave-engine-application-layer#42
Relate-to: https://github.com/tiran/defusedxml/blob/v0.7.1/defusedxml/minidom.py#L18
Signed-off-by: Philippe Coval <[email protected]>

Author: rzr

applications/zpc/components/zwave_command_handler/scripts/extract_get.py

@@ -2,10 +2,9 @@
 
 # Copyright (c) 2014 Silicon Laboratories Inc.
 
-from __future__ import print_function
-import xml.dom.minidom
 import sys
-import os.path
+
+from defusedxml import minidom
 
 gets = []
 sets = []
@@ -14,10 +13,8 @@
 
 
 if __name__ == '__main__':
-    if(sys.argv[1] == '-'):
-        x = xml.dom.minidom.parse(sys.stdin)
-    else:
-        x = xml.dom.minidom.parse(sys.argv[1])
+    file = sys.stdin if sys.argv[1] == '-' else sys.argv[1]
+    x = minidom.parse(file, forbid_dtd=True)
 
     classes = dict()
 

helper.mk

@@ -36,6 +36,7 @@ debian_codename?=bookworm
 packages?=cmake ninja-build build-essential python3-full ruby clang
 packages+=git-lfs unp time file usbutils bsdutils
 packages+=nlohmann-json3-dev
+packages+=python3-defusedxml # For extract_get.py
 # TODO: remove for offline build
 packages+=curl wget python3-pip
 packages+=expect