Use `defusedxml` for XMLRPC to prevent DoS attacks

`defusedxml` is a patched XML python library that fixes many issues
with the standard library XML and prevents attacks such as
Billion laughs attack.

https://en.wikipedia.org/wiki/Billion_laughs_attack

`defusedxml` provides a `defusedxml.xmlrpc.monkey_patch` call
which will patch the `xmlrpc` standard library module with the
safe XML decoders.

This patch enables XML protections once a Dispatcher class is
initiated. The Dispatcher is the one that uses the
`xmlrpc.client.loads` call to parse XML from the HTTP call.

docker/lava-server-base/Dockerfile

@@ -13,7 +13,7 @@ RUN echo 'deb http://deb.debian.org/debian bullseye-backports main' > /etc/apt/s
     apt-get install --no-install-recommends --yes libldap-common libsasl2-modules && \
     apt-get install --no-install-recommends --yes python3-boto3 python3-pycurl && \
     apt-get install --no-install-recommends --yes python3-voluptuous python3-yaml && \
-    apt-get install --no-install-recommends --yes python3-aiohttp python3-celery python3-django python3-django-allauth python3-django-auth-ldap python3-django-environ python3-django-filters python3-django-tables2 python3-djangorestframework python3-djangorestframework-extensions python3-djangorestframework-filters python3-docutils python3-eventlet python3-jinja2 python3-junit.xml python3-psycopg2 python3-requests python3-simplejson python3-tap python3-tz python3-voluptuous python3-whitenoise python3-yaml python3-zmq && \
+    apt-get install --no-install-recommends --yes python3-aiohttp python3-celery python3-defusedxml python3-django python3-django-allauth python3-django-auth-ldap python3-django-environ python3-django-filters python3-django-tables2 python3-djangorestframework python3-djangorestframework-extensions python3-djangorestframework-filters python3-docutils python3-eventlet python3-jinja2 python3-junit.xml python3-psycopg2 python3-requests python3-simplejson python3-tap python3-tz python3-voluptuous python3-whitenoise python3-yaml python3-zmq && \
     apt-get install --no-install-recommends --yes python3-pip && \
     python3 -m pip install sentry-sdk==1.5.8 && \
     find /usr/lib/python3/dist-packages/ -name '__pycache__' -type d -exec rm -r "{}" + && \

linaro_django_xmlrpc/models.py

@@ -374,6 +374,9 @@ class Dispatcher:
         # logging output goes to lava-server.log
         logging.basicConfig()
         self.logger = logging.getLogger("linaro-django-xmlrpc-dispatcher")
+        from defusedxml.xmlrpc import monkey_patch
+
+        monkey_patch()
 
     def decode_request(self, data):
         """

share/requirements/debian/bullseye.yaml

@@ -13,6 +13,8 @@ lava-server:
     name: python3-django-auth-ldap
   PyYAML:
     name: python3-yaml
+  defusedxml:
+    name: python3-defusedxml
   django-allauth:
     name: python3-django-allauth
   django-filter:

share/requirements/debian/buster.yaml

@@ -13,6 +13,8 @@ lava-server:
     name: python3-django-auth-ldap
   PyYAML:
     name: python3-yaml
+  defusedxml:
+    name: python3-defusedxml
   django-allauth:
     name: python3-django-allauth
   django-filter:

share/requirements/debian/unstable.yaml

@@ -13,6 +13,8 @@ lava-server:
     name: python3-django-auth-ldap
   PyYAML:
     name: python3-yaml
+  defusedxml:
+    name: python3-defusedxml
   django-allauth:
     name: python3-django-allauth
   django-filter: