perf: make validation more secure

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
CycloneDX · Oct 4, 2023 · 5d7b86c · 5d7b86c
1 parent c8c2183
commit 5d7b86c
Showing 1 changed file with 10 additions and 5 deletions.
diff --git a/cyclonedx/validation/xml.py b/cyclonedx/validation/xml.py
@@ -65,11 +65,16 @@ def _validata_data(self, data: Any) -> Optional[ValidationError]:
 
         __validator: Optional['XMLSchema'] = None
 
-        __xml_parser = XMLParser(
-            resolve_entities=False,
-            no_network=True,
-            huge_tree=True,
-            compact=True)
+        @property
+        def __xml_parser(self) -> XMLParser:
+            return XMLParser(
+                attribute_defaults=False, dtd_validation=False, load_dtd=False,
+                no_network=True,
+                resolve_entities=False,
+                huge_tree=True,
+                compact=True,
+                recover=False
+            )
 
         @property
         def _validator(self) -> 'XMLSchema':