Swap in defusedxml.parseString

[minhaminha]

Technical Summary

Jira Ticket
Code Scan alert

This PR swaps out lxml.fromString to defusedxml.minidom.parseString to mitigate risks of an XXE attack.

Safety Assurance

Safety story

Manually tested in shell using the example xml string '<bspostevent><field name="MobileNumber" type="string">000000000</field><field name="Text" type="string">sample text</field></bspostevent>' and verified it returns the same names, numbers and text.

QA Plan

I don't have a way of testing this locally so I think it's a good idea to ask QA to take a quick pass on it.

Rollback instructions

• This PR can be reverted after deploy with no further considerations

Labels & Review

• Risk label is set correctly
• The set of people pinged as reviewers is appropriate for the level of risk of the change

[esoergel]

I don't think QA will meaningfully be able to test this, unfortunately. It looks like the backend for some sms provider called "push", so we'd need access to that. Automated tests might be the best bet - it looks like the existing (presumed functional) implementation is super simple, so you could probably infer what the XML this receives looks like and then just ensure that both before and after handle it the same way.

[MartinRiese]

Looks like you are in luck and there already is a test that now fails:

FAILED corehq/apps/sms/tests/test_backends.py::AllBackendTest::test_push_inbound_sms - AttributeError: 'Text' object has no attribute 'getAttribute'

[minhaminha]

@esoergel gotcha. I used the sample xml string found in the previously failing test (also updated in the description above) to test the function before and after my changes - does that look right to you? (I did chop off the first ?xml tag since trying to parse as is with etree.fromstring triggers a valueerror)

[esoergel]

hooray for tests!