From e0b06959adcbedae836495410fa71118ef54cff7 Mon Sep 17 00:00:00 2001 From: "aikido-autofix[bot]" <119856028+aikido-autofix[bot]@users.noreply.github.com> Date: Mon, 9 Mar 2026 11:13:20 +0000 Subject: [PATCH] fix(security): autofix Using blacklisted XML parsing function is dangerous --- scripts/coding_discovery_tools/macos/jetbrains/jetbrains.py | 3 ++- .../macos/jetbrains/mcp_config_extractor.py | 3 ++- scripts/coding_discovery_tools/windows/jetbrains/jetbrains.py | 3 ++- .../windows/jetbrains/mcp_config_extractor.py | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/scripts/coding_discovery_tools/macos/jetbrains/jetbrains.py b/scripts/coding_discovery_tools/macos/jetbrains/jetbrains.py index 048b7e82..602f8da6 100644 --- a/scripts/coding_discovery_tools/macos/jetbrains/jetbrains.py +++ b/scripts/coding_discovery_tools/macos/jetbrains/jetbrains.py @@ -6,6 +6,7 @@ import logging import re import xml.etree.ElementTree as ET +import defusedxml.ElementTree as DefusedET import zipfile from pathlib import Path from typing import Optional, Dict, List, Set, Tuple @@ -244,7 +245,7 @@ def _parse_plugin_xml(self, xml_content: str) -> Tuple[Optional[str], Optional[s try: # Remove XML namespace declarations for simpler parsing xml_content_clean = re.sub(r'\sxmlns[^"]*"[^"]*"', '', xml_content) - root = ET.fromstring(xml_content_clean) + root = DefusedET.fromstring(xml_content_clean) # Try to find tag, can be at root level or nested id_elem = root.find('.//id') diff --git a/scripts/coding_discovery_tools/macos/jetbrains/mcp_config_extractor.py b/scripts/coding_discovery_tools/macos/jetbrains/mcp_config_extractor.py index dfdd89ce..8be72494 100644 --- a/scripts/coding_discovery_tools/macos/jetbrains/mcp_config_extractor.py +++ b/scripts/coding_discovery_tools/macos/jetbrains/mcp_config_extractor.py @@ -6,6 +6,7 @@ import logging import os import xml.etree.ElementTree as ET +import defusedxml.ElementTree as DefusedET from pathlib import Path from typing import Optional, Dict, List @@ -198,7 +199,7 @@ def _parse_mcp_xml(self, xml_path: Path) -> List[Dict]: """Simplified 2025.x MCP XML parser.""" servers = [] try: - tree = ET.parse(xml_path) + tree = DefusedET.parse(xml_path) for node in tree.findall(".//McpServerConfigurationProperties"): def get_opt(n, name): diff --git a/scripts/coding_discovery_tools/windows/jetbrains/jetbrains.py b/scripts/coding_discovery_tools/windows/jetbrains/jetbrains.py index 3dffd48f..9d9ea74e 100644 --- a/scripts/coding_discovery_tools/windows/jetbrains/jetbrains.py +++ b/scripts/coding_discovery_tools/windows/jetbrains/jetbrains.py @@ -6,6 +6,7 @@ import logging import re import xml.etree.ElementTree as ET +import defusedxml.ElementTree as DefusedET import zipfile from pathlib import Path from typing import Optional, Dict, List, Set, Tuple @@ -322,7 +323,7 @@ def _parse_plugin_xml(self, xml_content: str) -> Tuple[Optional[str], Optional[s try: # Remove XML namespace declarations for simpler parsing xml_content_clean = re.sub(r'\sxmlns[^"]*"[^"]*"', '', xml_content) - root = ET.fromstring(xml_content_clean) + root = DefusedET.fromstring(xml_content_clean) # Try to find tag, can be at root level or nested id_elem = root.find('.//id') diff --git a/scripts/coding_discovery_tools/windows/jetbrains/mcp_config_extractor.py b/scripts/coding_discovery_tools/windows/jetbrains/mcp_config_extractor.py index ee7d9ad5..50a4a39d 100644 --- a/scripts/coding_discovery_tools/windows/jetbrains/mcp_config_extractor.py +++ b/scripts/coding_discovery_tools/windows/jetbrains/mcp_config_extractor.py @@ -6,6 +6,7 @@ import logging import os import xml.etree.ElementTree as ET +import defusedxml.ElementTree as DefusedET from pathlib import Path from typing import Optional, Dict, List @@ -284,7 +285,7 @@ def _extract_project_paths_from_xml(self, xml_path: Path) -> set: paths = set() try: - tree = ET.parse(xml_path) + tree = DefusedET.parse(xml_path) root = tree.getroot() # Various path formats used by JetBrains