fix: DEV-3089: Disable DTDForbidden for label config validation (#2782)

KonstantinKorotaev · web-flow · commit c800f2b5d3c1 · 2022-08-12T18:30:28.000+03:00
* fix: DEV-3089: Disable DTDForbidden  for label config validation
diff --git a/label_studio/core/label_config.py b/label_studio/core/label_config.py
@@ -73,9 +73,8 @@ def _fix_choices(config):
 
 
 def parse_config_to_json(config_string):
-    parser = etree.XMLParser()
     try:
-        xml = etree.fromstring(config_string, parser)
+        xml = etree.fromstring(config_string, forbid_dtd=False)
     except TypeError as error:
         raise etree.ParseError('can only parse strings')
     if xml is None:
@@ -113,8 +112,7 @@ def validate_label_config(config_string):
 
 def extract_data_types(label_config):
     # load config
-    parser = etree.XMLParser()
-    xml = etree.fromstring(label_config, parser)
+    xml = etree.fromstring(label_config, forbid_dtd=False)
     if xml is None:
         raise etree.ParseError('Project config is empty or incorrect')
 
@@ -163,7 +161,7 @@ def get_all_object_tag_names(label_config):
 
 
 def config_line_stipped(c):
-    tree = etree.fromstring(c)
+    tree = etree.fromstring(c, forbid_dtd=False)
     comments = tree.xpath('//comment()')
 
     for c in comments:
@@ -223,8 +221,7 @@ def generate_sample_task_without_check(label_config, mode='upload', secure_mode=
     """ Generate sample task only
     """
     # load config
-    parser = etree.XMLParser()
-    xml = etree.fromstring(label_config, parser)
+    xml = etree.fromstring(label_config, forbid_dtd=False)
     if xml is None:
         raise etree.ParseError('Project config is empty or incorrect')
 
