Refactor XML ParseError handling and use defusedxml (fixes #14752)

david-f0195 · david-f0195 · commit 8f18e3e60bbb · 2026-05-02T13:43:59.000+05:30
Switched to defusedxml for better security alignment and updated the error format to use a field-specific dictionary as recommended in DRF. Also moved the catch block to avoid misleading comment alignment.
diff --git a/dojo/api_v2/serializers.py b/dojo/api_v2/serializers.py
@@ -4,11 +4,11 @@
 import logging
 import re
 import time
-import xml.etree.ElementTree as ET
 from datetime import datetime
 
 import six
 import tagulous
+from defusedxml import ElementTree as ET
 from django.conf import settings
 from django.contrib.auth.models import Group, Permission
 from django.contrib.auth.password_validation import validate_password
@@ -2394,14 +2394,14 @@ def process_scan(
             duration = time.perf_counter() - start_time
             LargeScanSizeProductAnnouncement(response_data=data, duration=duration)
             ScanTypeProductAnnouncement(response_data=data, scan_type=context.get("scan_type"))
+        except ET.ParseError as e:
+            raise serializers.ValidationError({"file": f"Malformed XML: {e}"})
         # convert to exception otherwise django rest framework will swallow them as 400 error
         # exceptions are already logged in the importer
         except SyntaxError as se:
             raise Exception(se)
         except ValueError as ve:
             raise Exception(ve)
-        except ET.ParseError as e:
-            raise serializers.ValidationError(f"Malformed XML: {e}")
 
     def validate(self, data: dict) -> dict:
         scan_type = data.get("scan_type")
@@ -2704,14 +2704,14 @@ def process_scan(
             duration = time.perf_counter() - start_time
             LargeScanSizeProductAnnouncement(response_data=data, duration=duration)
             ScanTypeProductAnnouncement(response_data=data, scan_type=context.get("scan_type"))
+        except ET.ParseError as e:
+            raise serializers.ValidationError({"file": f"Malformed XML: {e}"})
         # convert to exception otherwise django rest framework will swallow them as 400 error
         # exceptions are already logged in the importer
         except SyntaxError as se:
             raise Exception(se)
         except ValueError as ve:
             raise Exception(ve)
-        except ET.ParseError as e:
-            raise serializers.ValidationError(f"Malformed XML: {e}")
 
     def save(self, *, push_to_jira=False):
         # Go through the validate method
@@ -2788,12 +2788,12 @@ def save(self):
                     create_dojo_meta,
                     origin="API",
                 )
+        except ET.ParseError as e:
+            raise serializers.ValidationError({"file": f"Malformed XML: {e}"})
         except SyntaxError as se:
             raise Exception(se)
         except ValueError as ve:
             raise Exception(ve)
-        except ET.ParseError as e:
-            raise serializers.ValidationError(f"Malformed XML: {e}")
 
 
 class LanguageTypeSerializer(serializers.ModelSerializer):
