Take XML vulnerabilities into consideration, when parsing XLSX

There are many attack vectors targeting XML parsers; by default most are susceptible to all or most of the known vulnerabilities. There is DefuseXML Python library to help mitigate against attacks by malicious XML files obtained from non-trusted sources. When working with XLSX documents using xlrd, following wrapper can be used to harden against these attacks.

import defusedxml
from defusedxml.common import EntitiesForbidden
from xlrd import open_workbook
defusedxml.defuse_stdlib()


def secure_open_workbook(**kwargs):
    try:
        return open_workbook(**kwargs)
    except EntitiesForbidden:
        raise ValueError('Please use a xlsx file without XEE')

Upload passed XLSX statement into database, in addition to XLSX blob, also store following information:

• Statement ID
• ID of account associated with the statement as foreign key
• Upload date and time in UTC
• SHA256 hash of the uploaded file
• Total amount of transaction in the statement
• Timestamp of first transaction in the statement
• Timestamp of last transaction in the statement
• State of processing as ENUM (new, processing, processed, processing failed)
• Timestamp of processing start in UTC (can be NULL)
• Timestamp of processing finish in UTC (can be NULL)

Define database schema for Mintos platform; all tables related to Mintos platform are to be prefixed with p2p_lending_platform_mintos_.

List of tables

• p2p_lending_platform_mintos_statements (See Issue #1)
• p2p_lending_platform_mintos_originators
• p2p_lending_platform_mintos_loans
• p2p_lending_platform_mintos_participations
• p2p_lending_platform_mintos_transaction_types