suspicious-lxml-import (S410)
Removed (since v0.3.0) · Related issues · View source
Derived from the flake8-bandit linter.
Warning: This rule has been removed and its documentation is only available for historical reasons.
Removed
This rule was removed as the lxml library has been modified to address
known vulnerabilities and unsafe defaults. As such, the defusedxml
library is no longer necessary, defusedxml has deprecated its lxml
module.
What it does
Checks for imports of the lxml module.
Why is this bad?
Using various methods from the lxml module to parse untrusted XML data is
known to be vulnerable to XML attacks. Replace vulnerable imports with the
equivalent defusedxml package.