Security: Use defusedxml for XML parsing in MJCF/URDF importers

## Description

The MJCF importer in `newton/_src/utils/import_mjcf.py` currently uses `xml.etree.ElementTree` to parse XML input, which is vulnerable to XML attacks such as XML bomb (billion laughs attack) and external entity injection.

While `sanitize_xml_content` provides some mitigation, it doesn't fully protect against all XML-based attacks. The recommended approach is to use `defusedxml.ElementTree` instead.

## Impact

When parsing untrusted MJCF content (e.g., user-provided XML strings), the application could be vulnerable to:
- XML bomb attacks leading to resource exhaustion
- External entity injection
- Other XML-based exploits

## Recommendation

Replace `xml.etree.ElementTree` with `defusedxml.ElementTree` with a fallback to the standard library if defusedxml is unavailable.

## References

- PR: https://github.com/newton-physics/newton/pull/996
- Comment: https://github.com/newton-physics/newton/pull/996#discussion_r2492432897
- Requested by: @eric-heiden

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Security: Use defusedxml for XML parsing in MJCF/URDF importers #1028

Description

Impact

Recommendation

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Security: Use defusedxml for XML parsing in MJCF/URDF importers #1028

Description

Description

Impact

Recommendation

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions