Merge pull request #11 from uktrade/SR3652_part_iii

adamwozencroft · web-flow · commit 99bf85b8c3fc · 2025-06-19T10:43:33.000+01:00
SR-3652 part iii - revenge of the log formatter
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,12 @@
 # Changelog
 
+## [0.9.4] - 2025-06-19
+
+Fix of a security vulnerability: https://github.com/uktrade/djangosaml2idp2/security/code-scanning/1
+
+### Added
+- Downgraded pre-commit package to work better with other downstream packages.
+
 ## [0.9.3] - 2025-06-13
 
 Update of aging dependencies that had vulnerabilities and also add support for newer Python and Django versions.
diff --git a/djangosaml2idp/__init__.py b/djangosaml2idp/__init__.py
@@ -1 +1 @@
-__version__ = '0.9.3'
+__version__ = '0.9.4'
diff --git a/djangosaml2idp/utils.py b/djangosaml2idp/utils.py
@@ -2,7 +2,8 @@
 import datetime
 import xml.dom.minidom
 from saml2.response import StatusResponse
-import xml.etree.ElementTree as ET
+import defusedxml.ElementTree as ET
+import defusedxml.minidom
 import zlib
 from xml.parsers.expat import ExpatError
 from django.conf import settings
@@ -18,12 +19,12 @@ def repr_saml(saml: str, b64: bool = False):
     """
     try:
         msg = base64.b64decode(saml).decode() if b64 else saml
-        dom = xml.dom.minidom.parseString(msg)
+        dom = defusedxml.minidom.parseString(msg)
     except (UnicodeDecodeError, ExpatError):
         # in HTTP-REDIRECT the base64 must be inflated
         compressed = base64.b64decode(saml)
         inflated = zlib.decompress(compressed, -15)
-        dom = xml.dom.minidom.parseString(inflated.decode())
+        dom = defusedxml.minidom.parseString(inflated.decode())
     return dom.toprettyxml()
 
 
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -16,7 +16,7 @@ exclude = '''
 
 [tool.poetry]
 name = "djangosaml2idp2"
-version = "0.9.3"
+version = "0.9.4"
 description = "Forked from the original https://github.com/OTA-Insight/djangosaml2idp to provide bugfixes and upgrades to python and django support."
 authors = ["Department for Business and Trade Platform Team <sre-team@digital.trade.gov.uk>"]
 readme = "README.rst"
@@ -53,7 +53,7 @@ nodeenv = ">=1.9.1"
 packaging = ">=25.0"
 pip-tools = ">=7.4.1"
 pluggy = ">=1.6.0"
-pre-commit = ">=4.2.0"
+pre-commit = ">=3.5.0,<4.0.0"
 pycparser = ">=2.22"
 pyopenssl = ">=24.2.1,<24.3.0"
 pyparsing = ">=3.2.3"
diff --git a/requirements-dev.txt b/requirements-dev.txt
@@ -60,7 +60,7 @@ pluggy>=1.6.0
     # via
     #   pytest
     #   tox
-pre-commit>=4.2.0
+pre-commit>=3.5.0,<4.0.0
     # via -r requirements-dev.in
 py>=1.10.0
     # via

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-__version__ = '0.9.3'`
	`1`	`+__version__ = '0.9.4'`