Bandit [B411]: use defusedxml to prevent remote XML attacks

- putting xmlrpc stuff into koji.xmlrpcplus
- adding koji.xmlrpcplus.xmlrpc_server to refer
- replacing refs of original xmlrpc.client.dumps to enhanced
  koji.xmlrpcplus.dumps

fixes: #3964

koji/__init__.py

@@ -69,7 +69,7 @@ from requests.packages.urllib3.exceptions import MaxRetryError, HostChangedError
 from six.moves import range, zip
 
 from koji.tasks import parse_task_params
-from koji.xmlrpcplus import Fault, dumps, getparser, loads, xmlrpc_client
+from koji.xmlrpcplus import DateTime, Fault, dumps, getparser, loads
 from koji.util import deprecated
 from . import util
 from . import _version
@@ -3661,7 +3661,7 @@ def formatTime(value):
     """Format a timestamp so it looks nicer"""
     if not value and not isinstance(value, (int, float)):
         return ''
-    if isinstance(value, xmlrpc_client.DateTime):
+    if isinstance(value, DateTime):
         value = datetime.datetime.strptime(value.value, "%Y%m%dT%H:%M:%S")
     elif isinstance(value, (int, float)):
         value = datetime.datetime.fromtimestamp(value)
@@ -3684,7 +3684,7 @@ def formatTimeLong(value):
         return ''
     if isinstance(value, six.string_types):
         t = dateutil.parser.parse(value)
-    elif isinstance(value, xmlrpc_client.DateTime):
+    elif isinstance(value, DateTime):
         t = dateutil.parser.parse(value.value)
     elif isinstance(value, (int, float)):
         t = datetime.datetime.fromtimestamp(value)

koji/xmlrpcplus.py

@@ -6,9 +6,16 @@ from __future__ import absolute_import
 
 import types
 
+import defusedxml.xmlrpc as defusedxmlrpc
 import re
 import six
+# importing here for references in koji by defused.xmlrpc.monkey_patch() below
 import six.moves.xmlrpc_client as xmlrpc_client
+import six.moves.xmlrpc_server as xmlrpc_server  # noqa: F401
+
+
+# patching xmlrpc to protect against XML related attacks
+defusedxmlrpc.monkey_patch()
 
 # duplicate a few values that we need
 getparser = xmlrpc_client.getparser