From 7c4912d16ab9d8553d7fe16e348205bb1cea3af2 Mon Sep 17 00:00:00 2001
From: Vinit Kumar <mail@vinitkumar.me>
Date: Thu, 7 Oct 2021 02:24:19 +0530
Subject: [PATCH] Feat/security improvements (#81)

* :lock: refactor: replace xml with defused xml

fixes #80, to fix the security attacks that can happen using the xml.dom
from stdlib. defusedxml is API compatible and easy to replace that fixes
these security issues, so why not. Adds an extra dependency but is
worth it.

* :bookmark: feat: version bump

* :art: feat: pin dependencies

* :package: feat: packages are installed from a new file
---
 .github/workflows/pythonpackage.yml |  2 +-
 .gitignore                          |  1 +
 json2xml/__init__.py                |  2 +-
 json2xml/dicttoxml.py               |  3 +-
 json2xml/json2xml.py                |  2 +-
 requirements.in                     |  5 ++++
 requirements.txt                    | 44 +++++++++++++++++++++++++++++
 requirements_dev.txt                | 18 ------------
 requirements_prod.txt               |  2 --
 setup.py                            |  2 +-
 tox.ini                             |  8 +++---
 11 files changed, 59 insertions(+), 30 deletions(-)
 create mode 100644 requirements.in
 create mode 100644 requirements.txt
 delete mode 100644 requirements_dev.txt
 delete mode 100644 requirements_prod.txt

diff --git a/.github/workflows/pythonpackage.yml b/.github/workflows/pythonpackage.yml
index d0cee00..dfcb5f2 100644
--- a/.github/workflows/pythonpackage.yml
+++ b/.github/workflows/pythonpackage.yml
@@ -25,7 +25,7 @@ jobs:
       run: |
         python -m pip install --upgrade pip
         pip install pytest
-        pip install -r requirements_prod.txt
+        pip install -r requirements.txt
         python setup.py install
     - name: Lint with flake8
       run: |
diff --git a/.gitignore b/.gitignore
index 7609cdd..c541cef 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 .idea
+.tox
 *.pyc
 json2xml.egg-info
 build
diff --git a/json2xml/__init__.py b/json2xml/__init__.py
index 9ce7d06..37a8652 100644
--- a/json2xml/__init__.py
+++ b/json2xml/__init__.py
@@ -4,7 +4,7 @@
 
 __author__ = """Vinit Kumar"""
 __email__ = "mail@vinitkumar.me"
-__version__ = "3.7.0"
+__version__ = "3.8.0"
 
 
 # from .utils import readfromurl, readfromstring, readfromjson
diff --git a/json2xml/dicttoxml.py b/json2xml/dicttoxml.py
index 43b8e10..445fb49 100755
--- a/json2xml/dicttoxml.py
+++ b/json2xml/dicttoxml.py
@@ -5,8 +5,7 @@
 import logging
 import numbers
 from random import randint
-from xml.dom.minidom import parseString
-
+from defusedxml.minidom import parseString
 
 from typing import Dict, Any
 
diff --git a/json2xml/json2xml.py b/json2xml/json2xml.py
index 6129a4d..624870d 100644
--- a/json2xml/json2xml.py
+++ b/json2xml/json2xml.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 from typing import Optional, Any
-from xml.dom.minidom import parseString
+from defusedxml.minidom import parseString
 from json2xml import dicttoxml
 
 
diff --git a/requirements.in b/requirements.in
new file mode 100644
index 0000000..2fa158e
--- /dev/null
+++ b/requirements.in
@@ -0,0 +1,5 @@
+requests>=2.20.0
+defusedxml==0.7.1
+pytest
+xmltodict
+
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..4802459
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,44 @@
+#
+# This file is autogenerated by pip-compile with python 3.7
+# To update, run:
+#
+#    pip-compile
+#
+attrs==21.2.0
+    # via pytest
+certifi==2021.5.30
+    # via requests
+charset-normalizer==2.0.6
+    # via requests
+defusedxml==0.7.1
+    # via -r requirements.in
+idna==3.2
+    # via requests
+importlib-metadata==4.8.1
+    # via
+    #   pluggy
+    #   pytest
+iniconfig==1.1.1
+    # via pytest
+packaging==21.0
+    # via pytest
+pluggy==1.0.0
+    # via pytest
+py==1.10.0
+    # via pytest
+pyparsing==2.4.7
+    # via packaging
+pytest==6.2.5
+    # via -r requirements.in
+requests==2.26.0
+    # via -r requirements.in
+toml==0.10.2
+    # via pytest
+typing-extensions==3.10.0.2
+    # via importlib-metadata
+urllib3==1.26.7
+    # via requests
+xmltodict==0.12.0
+    # via -r requirements.in
+zipp==3.6.0
+    # via importlib-metadata
diff --git a/requirements_dev.txt b/requirements_dev.txt
deleted file mode 100644
index dbb5650..0000000
--- a/requirements_dev.txt
+++ /dev/null
@@ -1,18 +0,0 @@
-pip==19.2
-bumpversion==0.5.3
-wheel==0.32.1
-watchdog==0.9.0
-flake8==3.5.0
-tox==3.5.2
-Sphinx==1.8.1
-twine==1.12.1
-dict2xml==1.5
-six==1.11.0
-lxml==4.6.3
-requests>=2.20.0
-coverage==4.0.3
-xmltodict==0.11.0
-python-coveralls==2.9.1
-
-
-
diff --git a/requirements_prod.txt b/requirements_prod.txt
deleted file mode 100644
index d1dd541..0000000
--- a/requirements_prod.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-requests>=2.20.0
-
diff --git a/setup.py b/setup.py
index a1a3d94..eb96dbc 100644
--- a/setup.py
+++ b/setup.py
@@ -12,7 +12,7 @@
 with open("HISTORY.rst") as history_file:
     history = history_file.read()
 
-requirements = [open("requirements_prod.txt").read()]
+requirements = [open("requirements.txt").read()]
 
 setup_requirements = []
 
diff --git a/tox.ini b/tox.ini
index 29887f8..29b310c 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,11 +1,11 @@
 [tox]
-envlist = py27, py34, py35, py36, flake8
+envlist = py38, py39, py310
 
 [travis]
 python =
-    3.6: py36
-    3.5: py35
-    3.4: py34
+    3.9: py39
+    3.8: py38
+    3.10: py310
     2.7: py27
 
 [testenv:flake8]