mirror of
https://github.com/HKUDS/CLI-Anything.git
synced 2026-06-08 23:39:20 +08:00
1afe545929
The repo's threat model (SECURITY.md) calls out XML/SVG content as a key
attack surface and lists "ElementTree auto-escaping" as the mitigation.
That covers XML *output* (serialization). XML *input* (parsing) across
the agent backends still goes through stdlib `xml.etree.ElementTree`,
which is vulnerable to entity-expansion DoS ("billion laughs" /
quadratic blowup) — Python 3.7.1 disabled external-entity lookup on ET
by default, but internal-entity expansion is still possible and can
exhaust CPU/RAM from a small file.
Migrate the parse/fromstring call sites in production code paths to
defusedxml.ElementTree (drop-in API). Construction calls (Element,
SubElement, tostring, register_namespace) are left on stdlib ET — those
don't parse untrusted input. Tests are left as-is in this PR.
Detected by Aeon + semgrep p/security-audit + p/owasp-top-ten
(rules: use-defused-xml, use-defused-xml-parse).
Severity: medium (DoS from agent-ingested files; not RCE).
CWE-776 Improper Restriction of Recursive Entity References.
83 lines
2.3 KiB
Python
83 lines
2.3 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
setup.py for cli-anything-macrocli
|
|
|
|
Install with: pip install -e .
|
|
"""
|
|
|
|
from setuptools import setup, find_namespace_packages
|
|
|
|
with open("cli_anything/macrocli/README.md", "r", encoding="utf-8") as fh:
|
|
long_description = fh.read()
|
|
|
|
setup(
|
|
name="cli-anything-macrocli",
|
|
version="1.0.0",
|
|
author="cli-anything contributors",
|
|
author_email="",
|
|
description=(
|
|
"MacroCLI — A layered CLI that converts GUI workflows into "
|
|
"parameterized, agent-callable macros. Requires: PyYAML, click, prompt-toolkit."
|
|
),
|
|
long_description=long_description,
|
|
long_description_content_type="text/markdown",
|
|
url="https://github.com/HKUDS/CLI-Anything",
|
|
packages=find_namespace_packages(include=["cli_anything.*"]),
|
|
classifiers=[
|
|
"Development Status :: 4 - Beta",
|
|
"Intended Audience :: Developers",
|
|
"Topic :: Software Development :: Libraries :: Python Modules",
|
|
"License :: OSI Approved :: MIT License",
|
|
"Programming Language :: Python :: 3",
|
|
"Programming Language :: Python :: 3.10",
|
|
"Programming Language :: Python :: 3.11",
|
|
"Programming Language :: Python :: 3.12",
|
|
],
|
|
python_requires=">=3.10",
|
|
install_requires=[
|
|
"click>=8.0.0",
|
|
"prompt-toolkit>=3.0.0",
|
|
"PyYAML>=6.0",
|
|
"defusedxml>=0.7.1",
|
|
],
|
|
extras_require={
|
|
"dev": [
|
|
"pytest>=7.0.0",
|
|
"pytest-cov>=4.0.0",
|
|
],
|
|
"visual": [
|
|
"mss>=9.0.0",
|
|
"Pillow>=10.0.0",
|
|
"numpy>=1.24.0",
|
|
"pynput>=1.7.0",
|
|
],
|
|
"gui_agent": [
|
|
"openai>=1.0.0",
|
|
"mss>=9.0.0",
|
|
"Pillow>=10.0.0",
|
|
],
|
|
"all": [
|
|
"mss>=9.0.0",
|
|
"Pillow>=10.0.0",
|
|
"numpy>=1.24.0",
|
|
"pynput>=1.7.0",
|
|
"openai>=1.0.0",
|
|
],
|
|
},
|
|
entry_points={
|
|
"console_scripts": [
|
|
"cli-anything-macrocli=cli_anything.macrocli.macrocli_cli:cli",
|
|
],
|
|
},
|
|
package_data={
|
|
"cli_anything.macrocli": [
|
|
"skills/*.md",
|
|
"macro_definitions/*.yaml",
|
|
"macro_definitions/examples/*.yaml",
|
|
"macro_definitions/demo/*.yaml",
|
|
],
|
|
},
|
|
include_package_data=True,
|
|
zip_safe=False,
|
|
)
|