Skip to content

fix(deploy-on-aws): defusedxml.ElementTree compatibility in fixers #172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
leozhad wants to merge 6 commits into
base: main
Choose a base branch
from
Open

fix(deploy-on-aws): defusedxml.ElementTree compatibility in fixers #172

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f76bb4f
fix(deploy-on-aws): defusedxml.ElementTree compatibility in fixers
leozhad May 20, 2026
07cfca7
Add nosemgrep annotations alongside existing nosec B405
leozhad May 20, 2026
6245729
Use line-prefix nosemgrep directive (SaaS scanner ignores inline form)
leozhad May 20, 2026
9c84ed7
Use bare nosemgrep directive (Semgrep cloud ignores rule-id form)
leozhad May 20, 2026
1437369
Inline nosemgrep on collapsed import to silence XXE finding
leozhad May 24, 2026
9f8c715
Add drawio fixer scripts to .semgrepignore
leozhad May 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .semgrepignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,13 @@ uv.lock
.gitleaks-baseline.json
.bandit-baseline.json
.semgrepignore

# draw.io fixer scripts — defusedxml does the actual parsing, but each
# script also borrows Element / ElementTree / indent from xml.etree for
# type hints and pretty-printing. The `import xml` Semgrep pattern fires
# on the borrow regardless of how it's written, and inline `# nosemgrep`
# is not honored in GHAS mode. Suppress at the file level.
plugins/deploy-on-aws/scripts/lib/fix_icon_colors.py
plugins/deploy-on-aws/scripts/lib/fix_nesting.py
plugins/deploy-on-aws/scripts/lib/fix_step_badges.py
plugins/deploy-on-aws/scripts/lib/post_process_drawio.py
13 changes: 13 additions & 0 deletions plugins/deploy-on-aws/scripts/lib/fix_icon_colors.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,19 @@

import argparse
import defusedxml.ElementTree as ET
# defusedxml.ElementTree re-exports the secure parsing helpers (parse,
# fromstring) but NOT the Element / ElementTree type aliases, nor the
# indent() pretty-printer (Python 3.9+). We borrow those names from the
# stdlib while keeping defusedxml's parse() as the actual XML entry
# point — defusedxml is what protects against XXE / billion-laughs.
# Filed as awslabs/agent-plugins#154 (Element / ElementTree) and #167
# (indent). Inline-suppressed because Semgrep matches the inner AST
# nodes of a multi-line `from ... import (...)`, so a directive on the
# preceding line does not propagate to lines 2-N of the block.
from xml.etree.ElementTree import Element as _Element, ElementTree as _ElementTree, indent as _indent # nosec B405 # nosemgrep
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
ET.Element = _Element # type: ignore[attr-defined]
ET.ElementTree = _ElementTree # type: ignore[attr-defined]
ET.indent = _indent # type: ignore[attr-defined]

# Broken shape names → correct shape names
SHAPE_RENAMES: dict[str, str] = {
Expand Down
13 changes: 13 additions & 0 deletions plugins/deploy-on-aws/scripts/lib/fix_nesting.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,19 @@

import argparse
import defusedxml.ElementTree as ET
# defusedxml.ElementTree re-exports the secure parsing helpers (parse,
# fromstring) but NOT the Element / ElementTree type aliases, nor the
# indent() pretty-printer (Python 3.9+). We borrow those names from the
# stdlib while keeping defusedxml's parse() as the actual XML entry
# point — defusedxml is what protects against XXE / billion-laughs.
# Filed as awslabs/agent-plugins#154 (Element / ElementTree) and #167
# (indent). Inline-suppressed because Semgrep matches the inner AST
# nodes of a multi-line `from ... import (...)`, so a directive on the
# preceding line does not propagate to lines 2-N of the block.
from xml.etree.ElementTree import Element as _Element, ElementTree as _ElementTree, indent as _indent # nosec B405 # nosemgrep
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
ET.Element = _Element # type: ignore[attr-defined]
ET.ElementTree = _ElementTree # type: ignore[attr-defined]
ET.indent = _indent # type: ignore[attr-defined]


def get_style_dict(style_str: str) -> dict[str, str]:
Expand Down
13 changes: 13 additions & 0 deletions plugins/deploy-on-aws/scripts/lib/fix_step_badges.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,19 @@
import math
import re
import defusedxml.ElementTree as ET
# defusedxml.ElementTree re-exports the secure parsing helpers (parse,
# fromstring) but NOT the Element / ElementTree type aliases, nor the
# indent() pretty-printer (Python 3.9+). We borrow those names from the
# stdlib while keeping defusedxml's parse() as the actual XML entry
# point — defusedxml is what protects against XXE / billion-laughs.
# Filed as awslabs/agent-plugins#154 (Element / ElementTree) and #167
# (indent). Inline-suppressed because Semgrep matches the inner AST
# nodes of a multi-line `from ... import (...)`, so a directive on the
# preceding line does not propagate to lines 2-N of the block.
from xml.etree.ElementTree import Element as _Element, ElementTree as _ElementTree, indent as _indent # nosec B405 # nosemgrep
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
ET.Element = _Element # type: ignore[attr-defined]
ET.ElementTree = _ElementTree # type: ignore[attr-defined]
ET.indent = _indent # type: ignore[attr-defined]
from dataclasses import dataclass


Expand Down
13 changes: 13 additions & 0 deletions plugins/deploy-on-aws/scripts/lib/post_process_drawio.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,19 @@
import os
import sys
import defusedxml.ElementTree as ET
# defusedxml.ElementTree re-exports the secure parsing helpers (parse,
# fromstring) but NOT the Element / ElementTree type aliases, nor the
# indent() pretty-printer (Python 3.9+). We borrow those names from the
# stdlib while keeping defusedxml's parse() as the actual XML entry
# point — defusedxml is what protects against XXE / billion-laughs.
# Filed as awslabs/agent-plugins#154 (Element / ElementTree) and #167
# (indent). Inline-suppressed because Semgrep matches the inner AST
# nodes of a multi-line `from ... import (...)`, so a directive on the
# preceding line does not propagate to lines 2-N of the block.
from xml.etree.ElementTree import Element as _Element, ElementTree as _ElementTree, indent as _indent # nosec B405 # nosemgrep
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
ET.Element = _Element # type: ignore[attr-defined]
ET.ElementTree = _ElementTree # type: ignore[attr-defined]
ET.indent = _indent # type: ignore[attr-defined]
from pathlib import Path

MAX_FILE_SIZE = 2 * 1024 * 1024 # 2 MB
Expand Down
Loading