From 4504014e3c185eb6e214e12c8f680da1438ac5b2 Mon Sep 17 00:00:00 2001
From: Mufeed VH <mufeedvh@gmail.com>
Date: Fri, 14 Feb 2020 18:47:50 +0530
Subject: [PATCH 1/3] Added defusedxml module for XML parsing

---
 tox.ini | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tox.ini b/tox.ini
index 8ea1651..817e15e 100644
--- a/tox.ini
+++ b/tox.ini
@@ -5,4 +5,5 @@ deps=nose
      pymongo
      sqlalchemy
      pymysql
+     defusedxml
 commands=nosetests

From 54ee2b8d2f7050e2bd6e1d71883cbeb950a56aef Mon Sep 17 00:00:00 2001
From: Mufeed VH <mufeedvh@gmail.com>
Date: Fri, 14 Feb 2020 18:48:19 +0530
Subject: [PATCH 2/3] Added defusedxml module for XML parsing

---
 .travis.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.travis.yml b/.travis.yml
index e2c6632..4cfe913 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -19,7 +19,7 @@ install:
   - "pip install pyflakes"
 #  - "pip install boto" # disabled: since boto not supporting py3
 #  - "pip install pymongo sqlalchemy MySQL-python" # disabled MySQL-python (not py3 compatible)
-  - "pip install pymongo sqlalchemy pymysql"
+  - "pip install pymongo sqlalchemy pymysql defusedxml"
   - "pip install coveralls"
   - "python setup.py install"
 before_script:

From ade6207078ccd303017f33ccb0f7920e8733b229 Mon Sep 17 00:00:00 2001
From: Mufeed VH <mufeedvh@gmail.com>
Date: Fri, 14 Feb 2020 18:49:25 +0530
Subject: [PATCH 3/3] Replaced standard XML module with 'defusedxml' for XML
 bomb protection

---
 libnmap/parser.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/libnmap/parser.py b/libnmap/parser.py
index 8331ef9..c65741a 100644
--- a/libnmap/parser.py
+++ b/libnmap/parser.py
@@ -2,9 +2,9 @@
 
 
 try:
-    import xml.etree.cElementTree as ET
+    import defusedxml.cElementTree as parseXML
 except ImportError:
-    import xml.etree.ElementTree as ET
+    import defusedxml.ElementTree as parseXML
 from libnmap.objects import NmapHost, NmapService, NmapReport
 
 
@@ -87,7 +87,7 @@ def _parse_xml(cls, nmap_data=None, incomplete=False):
             nmap_data += "</nmaprun>"
 
         try:
-            root = ET.fromstring(nmap_data)
+            root = parseXML.fromstring(nmap_data)
         except:
             raise NmapParserException("Wrong XML structure: cannot parse data")