[Security] Fix CodeQL alert #27: XML external entity expansion

[colin-d-fried]

Summary

Fixes CodeQL alert #27: XML external entity expansion

Field	Value
Severity	critical
File	vulnerable_xxe.py
CWE	CWE-611
Alert	CodeQL Alert #27

Fix Applied

See the diff for the specific secure coding change applied.

Fixes #29

---

---

Note

Medium Risk
Changes XML parsing for the /process_xml endpoint to use defusedxml, which may reject previously accepted XML (e.g., DTD/entity usage) but reduces XXE risk in a request-handling path.

Overview
Mitigates the CodeQL XXE finding by switching the /process_xml handler from lxml.etree.XMLParser + etree.fromstring to defusedxml.lxml.fromstring, and adds the corresponding import.

This makes XML parsing safer by default and may change behavior for inputs that rely on external entities/DTDs.

^{Written by Cursor Bugbot for commit e99d156. This will update automatically on new commits. Configure here.}

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Fix uses deprecated module marked for removal

Medium Severity

The defusedxml.lxml module is officially deprecated by its maintainer and marked for removal in a future release. Importing it emits a DeprecationWarning at runtime. The maintainer notes it was only "example code" and explicitly states it has "NO protection against decompression bombs." Since lxml itself now includes built-in mitigations (disabled network access, billion-laughs protection), the recommended approach is to configure etree.XMLParser directly with safe settings like resolve_entities=False and no_network=True.

Additional Locations (1)

• vulnerable_xxe.py#L20-L21