fix: catch defusedxml security errors (#1138)

Signed-off-by: Ben Selwyn-Smith <[email protected]>

Author: benmss

src/macaron/parsers/pomparser.py

@@ -6,6 +6,7 @@
 from xml.etree.ElementTree import Element  # nosec B405
 
 import defusedxml.ElementTree
+from defusedxml import DefusedXmlException
 from defusedxml.ElementTree import fromstring
 
 logger: logging.Logger = logging.getLogger(__name__)
@@ -31,4 +32,6 @@ def parse_pom_string(pom_string: str) -> Element | None:
         return pom
     except defusedxml.ElementTree.ParseError as error:
         logger.debug("Failed to parse XML: %s", error)
-        return None
+    except DefusedXmlException as error:
+        logger.debug("POM rejected due to possible security issues: %s", error)
+    return None

tests/parsers/pomparser/__init__.py

@@ -0,0 +1,2 @@
+# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.

tests/parsers/pomparser/resources/forbidden_entity.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE xml [<!ENTITY quot "&#34;">]>

tests/parsers/pomparser/resources/invalid.xml

@@ -0,0 +1 @@
+<?xml

tests/parsers/pomparser/resources/valid.xml

@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>com.oracle.database.xml</groupId>
+    <artifactId>xdb</artifactId>
+    <version>23.9.0.25.07</version>
+    <packaging>jar</packaging>
+
+    <!--
+        xdb.jar: Support for the JDBC 4.x standard java.sql.SQLXML interface.
+        Note: xdb6.jar is a legacy name, xdb.jar is the new name.
+        Refer to "List of Artifacts (BOM)" section of the Maven Central Guide
+        https://www.oracle.com/database/technologies/maven-central-guide.html#artifacts
+      -->
+    <name>xdb</name>
+    <description>Support for the JDBC 4.x standard java.sql.SQLXML interface</description>
+    <url>https://www.oracle.com/database/technologies/maven-central-guide.html</url>
+    <inceptionYear>1997</inceptionYear>
+
+    <licenses>
+        <license>
+            <name>Oracle Free Use Terms and Conditions (FUTC)</name>
+            <url>https://www.oracle.com/downloads/licenses/oracle-free-license.html</url>
+        </license>
+    </licenses>
+
+    <developers>
+        <developer>
+            <organization>Oracle America, Inc.</organization>
+            <organizationUrl>http://www.oracle.com</organizationUrl>
+        </developer>
+    </developers>
+
+    <scm>
+        <url>https://github.com/oracle</url>
+    </scm>
+
+</project>

tests/parsers/pomparser/test_pomparser.py

@@ -0,0 +1,34 @@
+# Copyright (c) 2025 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+
+"""
+This module tests the POM parser.
+"""
+
+import os
+from pathlib import Path
+
+import pytest
+
+from macaron.parsers.pomparser import parse_pom_string as parse
+
+RESOURCES_DIR = Path(__file__).parent.joinpath("resources")
+
+
+def test_pomparser_parse() -> None:
+    """Test parsing a valid XML file."""
+    with open(os.path.join(RESOURCES_DIR, "valid.xml"), encoding="utf8") as file:
+        assert parse(file.read())
+
+
+@pytest.mark.parametrize(
+    "file_name",
+    [
+        "forbidden_entity.xml",
+        "invalid.xml",
+    ],
+)
+def test_pomparser_parse_invalid(file_name: str) -> None:
+    """Test parsing invalid XML files."""
+    with open(os.path.join(RESOURCES_DIR, file_name), encoding="utf8") as file:
+        assert not parse(file.read())