DefectDojo · davidwebdeveloper · May 2, 2026 · May 2, 2026
@@ -8,6 +8,7 @@
 
 import six
 import tagulous
+from defusedxml import ElementTree as ET
 from django.conf import settings
 from django.contrib.auth.models import Group, Permission
 from django.contrib.auth.password_validation import validate_password
@@ -2393,6 +2394,8 @@
             duration = time.perf_counter() - start_time
             LargeScanSizeProductAnnouncement(response_data=data, duration=duration)
             ScanTypeProductAnnouncement(response_data=data, scan_type=context.get("scan_type"))
+        except ET.ParseError as e:
+            raise serializers.ValidationError({"file": f"Malformed XML: {e}"})
         # convert to exception otherwise django rest framework will swallow them as 400 error
         # exceptions are already logged in the importer
         except SyntaxError as se:
@@ -2701,6 +2704,8 @@
             duration = time.perf_counter() - start_time
             LargeScanSizeProductAnnouncement(response_data=data, duration=duration)
             ScanTypeProductAnnouncement(response_data=data, scan_type=context.get("scan_type"))
+        except ET.ParseError as e:
+            raise serializers.ValidationError({"file": f"Malformed XML: {e}"})
         # convert to exception otherwise django rest framework will swallow them as 400 error
         # exceptions are already logged in the importer
         except SyntaxError as se:
@@ -2783,6 +2788,8 @@
                     create_dojo_meta,
                     origin="API",
                 )
+        except ET.ParseError as e:
+            raise serializers.ValidationError({"file": f"Malformed XML: {e}"})
         except SyntaxError as se:
             raise Exception(se)
         except ValueError as ve:

@@ -0,0 +1 @@
+<root
@@ -0,0 +1,27 @@
+from unittests.dojo_test_case import DojoAPITestCase
+import os
+
+class XMLParseErrorTest(DojoAPITestCase):
+    fixtures = ["dojo_testdata.json"]
+
+    def setUp(self):
+        super().setUp()
+        self.login_as_admin()
+
+    def test_import_scan_malformed_xml_zap(self):
+        """
+        Test that importing a malformed XML file via the API returns a 400 error
+        instead of crashing the worker (propagating ParseError).
+        """
+        # engagement 1 should exist from fixtures
+        relative_path = os.path.join("scans", "zap", "malformed.xml")
+
+        # We expect a 400 Bad Request if handled
+        response = self.import_scan_with_params(
+            filename=relative_path,
+            scan_type="ZAP Scan",
+            engagement=1,
+            expected_http_status_code=400
+        )
+
+        self.assertIn("Malformed XML", response["file"][0])