From 596d7494210260aa76a949a8660aa19a45a23dd1 Mon Sep 17 00:00:00 2001 From: nelsoduarte Date: Tue, 26 May 2026 12:22:37 +0100 Subject: [PATCH] fix(deps): pin lxml >=6.1.0 to close PYSEC-2026-87 (XXE) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A pip-audit sweep flagged lxml 6.0.2 as vulnerable to PYSEC-2026-87. lxml is pulled in transitively by python-docx, python-pptx, ebooklib, and pikepdf — all four of which we use, so the vulnerable lxml ships inside the PDFApps .exe (confirmed via the PyInstaller xref). The bug: lxml's two parsers, in their default configuration (resolve_entities=True), resolve external entities. A crafted DOCX, PPTX, EPUB, or a PDF with hostile XMP metadata can therefore embed references to /etc/passwd, ~/.ssh/id_rsa, etc., and the parser will inline those contents on parse — classic XML External Entity (XXE) attack. Fixed upstream in 6.1.0. PDFApps is exactly the kind of tool that opens untrusted files from users' machines, so the attack surface is real. Severity: medium (requires user to open a malicious file). Fix: add an explicit `lxml>=6.1.0` line to requirements.txt. None of the four packages that pull lxml in pin it, so pip will pick whatever matches — usually the latest. The explicit pin guarantees the safe floor on every install, including the GitHub Actions release runner that produces the shipped MSIX / installer. Other findings from the same sweep (all NOT shipping in the .exe and so no action needed): - urllib3 2.6.3 / idna 3.11 — only present as dev deps (no requests imports in our code; "idna" entry in the PyInstaller xref is the stdlib encodings/idna module, not the third-party package). - pip 26.0.1 — build-time tool, never bundled. - pytest 9.0.2 — only used under tests/, never in runtime modules. No version bump in this commit. The fix will ride along with the next natural release (currently v1.13.12 is in cert; tagging v1.13.13 just for this would churn the Store certification queue). Co-Authored-By: Claude Opus 4.7 (1M context) --- requirements.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/requirements.txt b/requirements.txt index 968d728..295cfa8 100644 --- a/requirements.txt +++ b/requirements.txt @@ -10,4 +10,9 @@ python-pptx>=1.0.2 openpyxl>=3.1.5 beautifulsoup4>=4.14.3 ebooklib>=0.20 +# Transitive of python-docx, python-pptx, ebooklib, pikepdf. +# Pin to >=6.1.0 to fix PYSEC-2026-87 (XXE — lxml < 6.1.0 resolves +# external entities by default, allowing crafted DOCX/PPTX/EPUB/PDF-XMP +# files to read arbitrary local files). +lxml>=6.1.0 pyinstaller>=6.20.0