use defusedxml for sax.parse().

Author: elliotwutingfeng

pre_commit_hooks/check_xml.py

@@ -4,6 +4,10 @@
 import xml.sax.handler
 from collections.abc import Sequence
 
+import defusedxml
+
+defusedxml.defuse_stdlib()
+
 
 def main(argv: Sequence[str] | None = None) -> int:
     parser = argparse.ArgumentParser()
@@ -15,7 +19,7 @@ def main(argv: Sequence[str] | None = None) -> int:
     for filename in args.filenames:
         try:
             with open(filename, 'rb') as xml_file:
-                xml.sax.parse(xml_file, handler)
+                defusedxml.sax.parse(xml_file, handler)
         except xml.sax.SAXException as exc:
             print(f'{filename}: Failed to xml parse ({exc})')
             retval = 1

setup.cfg

@@ -18,6 +18,7 @@ classifiers =
 [options]
 packages = find:
 install_requires =
+    defusedxml>=0.7.1
     ruamel.yaml>=0.15
     tomli>=1.1.0;python_version<"3.11"
 python_requires = >=3.10