config-tools: replace xml.etree.ElementTree with defusedxml.ElementTree

Using xml.etree.ElementTree to parse the untrusted data is known to raise security issue. Replaced it using defusedxml. Tracked-On: #6342 Signed-off-by: Yang,Yu-chu <yu-chu.yang@intel.com>
2021-07-29 14:02:50 -07:00 · 2021-07-29 14:02:50 -07:00 · 668ae81048
parent c10ac227cc
commit 668ae81048
4 changed files with 4 additions and 3 deletions
--- a/doc/getting-started/building-from-source.rst
+++ b/doc/getting-started/building-from-source.rst
@ -80,7 +80,7 @@ ACRN.
          xsltproc \
          clang-format

-     sudo pip3 install lxml xmlschema
+     sudo pip3 install lxml xmlschema defusedxml

     wget https://acpica.org/sites/acpica/files/acpica-unix-20210105.tar.gz
     tar zxvf acpica-unix-20210105.tar.gz
--- a/doc/getting-started/getting-started.rst
+++ b/doc/getting-started/getting-started.rst
@ -180,7 +180,7 @@ Build the ACRN Hypervisor on Ubuntu
        xsltproc \
        clang-format

-      $ sudo pip3 install lxml xmlschema
+      $ sudo pip3 install lxml xmlschema defusedxml

 #. Starting with the ACRN v2.2 release, we use the ``iasl`` tool to
   compile an offline ACPI binary for pre-launched VMs while building ACRN,
--- a/misc/config_tools/config_app/requirements
+++ b/misc/config_tools/config_app/requirements
@ -2,3 +2,4 @@ Flask==1.1.1
 flask_bootstrap==3.3.7.1
 xmlschema==1.4.1
 lxml==4.6.2
+defusedxml==0.7.1
--- a/misc/config_tools/library/common.py
+++ b/misc/config_tools/library/common.py
@ -8,7 +8,7 @@ import sys
 import getopt
 import shutil
 import subprocess # nosec
-import xml.etree.ElementTree as ET
+import defusedxml.ElementTree as ET
 import re
 import lxml