chore: remove warnings from defusedxml package

Diego Velásquez · Diego Velásquez · commit acbbc8a441be · 2023-07-03T12:24:52.000-05:00
diff --git a/openedx/core/lib/safe_lxml/__init__.py b/openedx/core/lib/safe_lxml/__init__.py
@@ -7,8 +7,6 @@ def defuse_xml_libs():
     """
     Monkey patch and defuse all stdlib xml packages and lxml.
     """
-    from defusedxml import defuse_stdlib
-    defuse_stdlib()
 
     import lxml
     import lxml.etree
diff --git a/openedx/core/lib/safe_lxml/etree.py b/openedx/core/lib/safe_lxml/etree.py
@@ -16,10 +16,9 @@
 
 from lxml.etree import XMLParser as _XMLParser
 from lxml.etree import *  # lint-amnesty, pylint: disable=redefined-builtin
-from lxml.etree import _Element, _ElementTree
-
-# This should be imported after lxml.etree so that it overrides the following attributes.
-from defusedxml.lxml import XML, fromstring, parse
+# These private elements are used in some libraries to also defuse xml exploits for their own purposes.
+# We need to re-expose them so that the libraries still work.
+from lxml.etree import _Comment, _Element, _ElementTree, _Entity, _ProcessingInstruction
 
 
 class XMLParser(_XMLParser):  # pylint: disable=function-redefined
diff --git a/openedx/core/lib/safe_lxml/tests.py b/openedx/core/lib/safe_lxml/tests.py
@@ -1,29 +1,24 @@
 """
 Test that we have defused XML.
-
-For these tests, the defusing will happen in one or more of the `conftest.py`
-files that runs at pytest startup calls `defuse_xml_libs()`.
-
-In production, the defusing happens when the LMS or Studio `wsgi.py` files
-call `defuse_xml_libs()`.
 """
 
 
-import defusedxml
 from lxml import etree
 
 import pytest
 
 
-@pytest.mark.parametrize("attr", ["XML", "fromstring", "parse"])
-def test_etree_is_defused(attr):
-    func = getattr(etree, attr)
-    assert "defused" in func.__code__.co_filename
+def test_entities_resolved():
+    xml = '<?xml version="1.0"?><!DOCTYPE mydoc [<!ENTITY hi "Hello">]> <root>&hi;</root>'
+    parser = etree.XMLParser(resolve_entities=True)
+    tree = etree.fromstring(xml, parser=parser)
+    pr = etree.tostring(tree)
+    assert pr == b'<root>Hello</root>'
 
 
 def test_entities_arent_resolved():
-    # Make sure we have disabled entity resolution.
     xml = '<?xml version="1.0"?><!DOCTYPE mydoc [<!ENTITY hi "Hello">]> <root>&hi;</root>'
-    parser = etree.XMLParser()
-    with pytest.raises(defusedxml.EntitiesForbidden):
-        _ = etree.XML(xml, parser=parser)
+    parser = etree.XMLParser(resolve_entities=False)
+    tree = etree.fromstring(xml, parser=parser)
+    pr = etree.tostring(tree)
+    assert pr == b'<root>&hi;</root>'
