From 38d68e664992165363c4483e1ac3b65ff50a4323 Mon Sep 17 00:00:00 2001
From: Daniel Brown <djbrown@users.noreply.github.com>
Date: Thu, 19 Dec 2024 03:35:47 +0100
Subject: [PATCH] remove B320 (xml_bad_etree) and B410 (import_lxml)

---
 bandit/blacklists/calls.py          | 28 ----------------------------
 bandit/blacklists/imports.py        | 28 ----------------------------
 examples/xml_lxml.py                |  9 ---------
 tests/functional/test_functional.py |  6 ------
 4 files changed, 71 deletions(-)
 delete mode 100644 examples/xml_lxml.py

diff --git a/bandit/blacklists/calls.py b/bandit/blacklists/calls.py
index 60656b12f..09dfb2f19 100644
--- a/bandit/blacklists/calls.py
+++ b/bandit/blacklists/calls.py
@@ -256,13 +256,6 @@
 | B319 | xml_bad_pulldom     | - xml.dom.pulldom.parse            | Medium    |
 |      |                     | - xml.dom.pulldom.parseString      |           |
 +------+---------------------+------------------------------------+-----------+
-| B320 | xml_bad_etree       | - lxml.etree.parse                 | Medium    |
-|      |                     | - lxml.etree.fromstring            |           |
-|      |                     | - lxml.etree.RestrictedElement     |           |
-|      |                     | - lxml.etree.GlobalParserTLS       |           |
-|      |                     | - lxml.etree.getDefaultParser      |           |
-|      |                     | - lxml.etree.check_docinfo         |           |
-+------+---------------------+------------------------------------+-----------+
 
 B321: ftplib
 ------------
@@ -615,27 +608,6 @@ def gen_blacklist():
         )
     )
 
-    sets.append(
-        utils.build_conf_dict(
-            "xml_bad_etree",
-            "B320",
-            issue.Cwe.IMPROPER_INPUT_VALIDATION,
-            [
-                "lxml.etree.parse",
-                "lxml.etree.fromstring",
-                "lxml.etree.RestrictedElement",
-                "lxml.etree.GlobalParserTLS",
-                "lxml.etree.getDefaultParser",
-                "lxml.etree.check_docinfo",
-            ],
-            (
-                "Using {name} to parse untrusted XML data is known to be "
-                "vulnerable to XML attacks. Replace {name} with its "
-                "defusedxml equivalent function."
-            ),
-        )
-    )
-
     # end of XML tests
 
     sets.append(
diff --git a/bandit/blacklists/imports.py b/bandit/blacklists/imports.py
index 58dfcb3c7..9110ac9f4 100644
--- a/bandit/blacklists/imports.py
+++ b/bandit/blacklists/imports.py
@@ -130,18 +130,6 @@
 | B409 | import_xml_pulldom  | - xml.dom.pulldom                  | low       |
 +------+---------------------+------------------------------------+-----------+
 
-B410: import_lxml
------------------
-
-Using various methods to parse untrusted XML data is known to be vulnerable to
-XML attacks. Replace vulnerable imports with the equivalent defusedxml package.
-
-+------+---------------------+------------------------------------+-----------+
-| ID   |  Name               |  Imports                           |  Severity |
-+======+=====================+====================================+===========+
-| B410 | import_lxml         | - lxml                             | low       |
-+------+---------------------+------------------------------------+-----------+
-
 B411: import_xmlrpclib
 ----------------------
 
@@ -297,11 +285,6 @@ def gen_blacklist():
         "defusedxml package, or make sure defusedxml.defuse_stdlib() "
         "is called."
     )
-    lxml_msg = (
-        "Using {name} to parse untrusted XML data is known to be "
-        "vulnerable to XML attacks. Replace {name} with the "
-        "equivalent defusedxml package."
-    )
 
     sets.append(
         utils.build_conf_dict(
@@ -358,17 +341,6 @@ def gen_blacklist():
         )
     )
 
-    sets.append(
-        utils.build_conf_dict(
-            "import_lxml",
-            "B410",
-            issue.Cwe.IMPROPER_INPUT_VALIDATION,
-            ["lxml"],
-            lxml_msg,
-            "LOW",
-        )
-    )
-
     sets.append(
         utils.build_conf_dict(
             "import_xmlrpclib",
diff --git a/examples/xml_lxml.py b/examples/xml_lxml.py
deleted file mode 100644
index dd12e5384..000000000
--- a/examples/xml_lxml.py
+++ /dev/null
@@ -1,9 +0,0 @@
-import lxml.etree
-import lxml
-from lxml import etree
-from defusedxml.lxml import fromstring
-from defuxedxml import lxml as potatoe
-
-xmlString = "<note>\n<to>Tove</to>\n<from>Jani</from>\n<heading>Reminder</heading>\n<body>Don't forget me this weekend!</body>\n</note>"
-root = lxml.etree.fromstring(xmlString)
-root = fromstring(xmlString)
diff --git a/tests/functional/test_functional.py b/tests/functional/test_functional.py
index a89c152e7..f9943f708 100644
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@@ -556,12 +556,6 @@ def test_xml(self):
         }
         self.check_example("xml_expatbuilder.py", expect)
 
-        expect = {
-            "SEVERITY": {"UNDEFINED": 0, "LOW": 3, "MEDIUM": 1, "HIGH": 0},
-            "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 4},
-        }
-        self.check_example("xml_lxml.py", expect)
-
         expect = {
             "SEVERITY": {"UNDEFINED": 0, "LOW": 2, "MEDIUM": 2, "HIGH": 0},
             "CONFIDENCE": {"UNDEFINED": 0, "LOW": 0, "MEDIUM": 0, "HIGH": 4},