Remove lxml (B320 & B410) from blacklist (#1212)

* remove B320 (xml_bad_etree) and B410 (import_lxml)

* restore lxml documentation and denote removal

* fix missing newline

Co-authored-by: Ian Stapleton Cordasco <[email protected]>

---------

Co-authored-by: Ian Stapleton Cordasco <[email protected]>
Co-authored-by: Eric Brown <[email protected]>

bandit/blacklists/calls.py

@@ -219,7 +219,7 @@
 | B312 | telnetlib           | - telnetlib.\*                     | High      |
 +------+---------------------+------------------------------------+-----------+
 
-B313 - B320: XML
+B313 - B319: XML
 ----------------
 
 Most of this is based off of Christian Heimes' work on defusedxml:
@@ -256,6 +256,15 @@
 | B319 | xml_bad_pulldom     | - xml.dom.pulldom.parse            | Medium    |
 |      |                     | - xml.dom.pulldom.parseString      |           |
 +------+---------------------+------------------------------------+-----------+
+
+B320: xml_bad_etree
+-------------------
+
+The check for this call has been removed.
+
++------+---------------------+------------------------------------+-----------+
+| ID   |  Name               |  Calls                             |  Severity |
++======+=====================+====================================+===========+
 | B320 | xml_bad_etree       | - lxml.etree.parse                 | Medium    |
 |      |                     | - lxml.etree.fromstring            |           |
 |      |                     | - lxml.etree.RestrictedElement     |           |
@@ -615,26 +624,7 @@ def gen_blacklist():
         )
     )
 
-    sets.append(
-        utils.build_conf_dict(
-            "xml_bad_etree",
-            "B320",
-            issue.Cwe.IMPROPER_INPUT_VALIDATION,
-            [
-                "lxml.etree.parse",
-                "lxml.etree.fromstring",
-                "lxml.etree.RestrictedElement",
-                "lxml.etree.GlobalParserTLS",
-                "lxml.etree.getDefaultParser",
-                "lxml.etree.check_docinfo",
-            ],
-            (
-                "Using {name} to parse untrusted XML data is known to be "
-                "vulnerable to XML attacks. Replace {name} with its "
-                "defusedxml equivalent function."
-            ),
-        )
-    )
+    # skipped B320 as the check for a call to lxml.etree has been removed
 
     # end of XML tests
 

bandit/blacklists/imports.py

@@ -133,6 +133,9 @@
 B410: import_lxml
 -----------------
 
+This import blacklist has been removed. The information here has been
+left for historical purposes.
+
 Using various methods to parse untrusted XML data is known to be vulnerable to
 XML attacks. Replace vulnerable imports with the equivalent defusedxml package.
 
@@ -297,11 +300,6 @@ def gen_blacklist():
         "defusedxml package, or make sure defusedxml.defuse_stdlib() "
         "is called."
     )
-    lxml_msg = (
-        "Using {name} to parse untrusted XML data is known to be "
-        "vulnerable to XML attacks. Replace {name} with the "
-        "equivalent defusedxml package."
-    )
 
     sets.append(
         utils.build_conf_dict(
@@ -358,16 +356,7 @@ def gen_blacklist():
         )
     )
 
-    sets.append(
-        utils.build_conf_dict(
-            "import_lxml",
-            "B410",
-            issue.Cwe.IMPROPER_INPUT_VALIDATION,
-            ["lxml"],
-            lxml_msg,
-            "LOW",
-        )
-    )
+    # skipped B410 as the check for import_lxml has been removed
 
     sets.append(
         utils.build_conf_dict(

tests/functional/test_functional.py

@@ -556,12 +556,6 @@ def test_xml(self):
         }
         self.check_example("xml_expatbuilder.py", expect)
 
-        expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 3, "MEDIUM": 1, "HIGH": 0},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 4},
-        }
-        self.check_example("xml_lxml.py", expect)
-
         expect = {
             "SEVERITY": {"UNDEFINED": 0, "LOW": 2, "MEDIUM": 2, "HIGH": 0},
             "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 4},