From af60fe1edc0daf8b2ab09a0448e99bf25ae1a200 Mon Sep 17 00:00:00 2001
From: Paul <evilcorefriends@gmail.com>
Date: Mon, 30 Mar 2026 21:15:41 +0300
Subject: [PATCH] fix cve

---
 container/builder-macos.Dockerfile |  1 +
 container/macos/sdk-fetcher.py     | 20 +++++++++++++++++---
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/container/builder-macos.Dockerfile b/container/builder-macos.Dockerfile
index 48b47751..fec9afaf 100644
--- a/container/builder-macos.Dockerfile
+++ b/container/builder-macos.Dockerfile
@@ -10,6 +10,7 @@ RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         python3 \
+        python3-defusedxml \
         cpio \
         tar \
         gzip \
diff --git a/container/macos/sdk-fetcher.py b/container/macos/sdk-fetcher.py
index cccda8ab..3b556c27 100644
--- a/container/macos/sdk-fetcher.py
+++ b/container/macos/sdk-fetcher.py
@@ -32,9 +32,15 @@ import subprocess
 import sys
 import tempfile
 import urllib.request
-import xml.etree.ElementTree as ET
 import zlib
 
+try:
+    import defusedxml.ElementTree as ET
+except ImportError as exc:
+    raise ImportError(
+        "defusedxml is required: pip install defusedxml"
+    ) from exc
+
 # -- Configuration -----------------------------------------------------------
 
 CATALOG_URLS = [
@@ -57,6 +63,12 @@ USER_AGENT = "Software%20Update"
 
 # -- Helpers -----------------------------------------------------------------
 
+def _validate_url(url):
+    """Reject non-HTTPS URLs to prevent file:// and other scheme attacks."""
+    if not url.startswith("https://"):
+        raise ValueError(f"Refusing non-HTTPS URL: {url}")
+
+
 def log(msg):
     print(msg, file=sys.stderr, flush=True)
 
@@ -69,8 +81,9 @@ def find_sdk_pkg_url():
         short = cat_url.split("/index-")[1][:25] + "..."
         log(f"    Trying catalog: {short}")
         try:
+            _validate_url(cat_url)
             req = urllib.request.Request(cat_url, headers={"User-Agent": USER_AGENT})
-            with urllib.request.urlopen(req, timeout=60) as resp:
+            with urllib.request.urlopen(req, timeout=60) as resp:  # nosemgrep: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
                 raw = gzip.decompress(resp.read())
             catalog = plistlib.loads(raw)
         except Exception as exc:
@@ -104,8 +117,9 @@ def find_sdk_pkg_url():
 
 def download(url, dest):
     """Download *url* to *dest* with a basic progress indicator."""
+    _validate_url(url)
     req = urllib.request.Request(url, headers={"User-Agent": USER_AGENT})
-    with urllib.request.urlopen(req, timeout=600) as resp:
+    with urllib.request.urlopen(req, timeout=600) as resp:  # nosemgrep: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
         total = int(resp.headers.get("Content-Length", 0))
         done = 0
         with open(dest, "wb") as f: