See:

• https://github.com/LibreDTE/libredte-lib/blob/22c6f8d5d8231ac27977020b8385547a3fd98dbc/examples/008-verificar_enviodte.php#L44-L62
• https://github.com/LibreDTE/libredte-lib/blob/ca8843735df63ea2405042935ac6f7a4a1628d2e/lib/Sii/EnvioDte.php#L422-L438

And for signature verification of each element 'DTE' in 'SetDTE' see:

https://github.com/LibreDTE/libredte-lib/blob/22c6f8d5d8231ac27977020b8385547a3fd98dbc/examples/008-verificar_enviodte.php#L68-L89

The following will trigger an error:

import pathlib
from cl_sii.libs import xml_utils
from cl_sii.dte.parse import _set_dte_xml_missing_xmlns, DTE_XMLNS_MAP

file_path = pathlib.Path('SET_DTE_76408488-8_33_591.xml')
envio_dte_xml_doc = xml_utils.parse_untrusted_xml(file_path.read_bytes())
assert envio_dte_xml_doc.tag == '{http://www.sii.cl/SiiDte}EnvioDTE'

set_dte_em = xml_em.find('sii-dte:SetDTE', namespaces=DTE_XMLNS_MAP)
set_dte_em = envio_dte_xml_doc.find('sii-dte:SetDTE', namespaces=DTE_XMLNS_MAP)

dte_em_list = set_dte_em.findall('sii-dte:DTE', namespaces=DTE_XMLNS_MAP)
dte_em = dte_em_list[0]

_set_dte_xml_missing_xmlns(dte_em)

Exception: ('XML root element tag does not match the expected simple or namespaced name.', 'DTE', '{http://www.sii.cl/SiiDte}DTE', '{http://www.sii.cl/SiiDte}EnvioDTE')

For a file like this one (download this example set_dte_76408488-8_33_591.xml)

<?xml version="1.0" encoding="ISO-8859-1"?>
<EnvioDTE version="1.0" xmlns="http://www.sii.cl/SiiDte" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.sii.cl/SiiDte EnvioDTE_v10.xsd">
<SetDTE ID="IDfc7f3b7ee3af4c078d300fd530656928">
<Caratula version="1.0">...</Caratula>
<DTE version="1.0">
<Documento ID="T33F591">...</Documento>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
</Signature>
</DTE>
</SetDTE>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
</Signature>
</EnvioDTE>

Mixing Data Class libraries can be a source of subtle bugs, such as pydantic/pydantic#2162.

Related to #229

There are some utilities such as test factories, sample data, helpers, etc. that are not included in the library package because they are not needed for production deployments. However, they are useful during development, so we should find a way to make them easily accessible to developers.

Ref.: https://github.com/fyntex/fyndata-cl-data/blob/6d3866913c02f8e6e83889135d018ca63b015578/fd_cl_data/apps/sii_cte/tests/cl_sii_factories.py#L14-L44
Ref.: https://github.com/fyntex/fyndata-cl-data/blob/04355dbbcf40e4769b80c475dfb77e51e63ddeab/fd_cl_data/apps/sii_rcv/tests/cl_sii_factories.py#L16-L75
Ref.: https://github.com/fyntex/fyndata-cl-data/blob/6d3866913c02f8e6e83889135d018ca63b015578/fd_cl_data/apps/sii_rtc/tests/cl_sii_api_factories.py#L16-L90

CC: @glarrain

It is quite common that a DTE XML file's xmlns attribute (document XML namespace) of tag DTE is missing.

In that case, replace
<DTE version="1.0"> to <DTE version="1.0" xmlns="http://www.sii.cl/SiiDte">

https://github.com/fyndata/lib-cl-sii-python/blob/6baaddea6ce3921108075938d9668703ed50e035/cl_sii/dte/parse.py#L62-L73

We need to use the cl-sii library with Django 3.1.

Ref: https://github.com/fyntex/lib-cl-sii-python/blob/195235b027b2dbf4861e5e899b9e04d1c86e80f1/setup.py#L38

Ref: https://cordada.aha.io/features/PLATCORE-309

Related files:

• https://github.com/fyntex/lib-cl-sii-python/blob/7a5830ec45c6365f81dfa3a43585ccf90f2f952b/setup.py#L39
• https://github.com/fyntex/lib-cl-sii-python/blob/7a5830ec45c6365f81dfa3a43585ccf90f2f952b/requirements/extras.txt#L5

Sentry Issue: FD-CL-DATA-Z

ValueError: Value must not have leading or trailing whitespace.
  File "cl_sii/rcv/parse_csv.py", line 1136, in _parse_rcv_csv_file
    entry = input_csv_row_schema.to_detalle_entry(deserialized_row_data)
  File "cl_sii/rcv/parse_csv.py", line 1046, in to_detalle_entry
    fecha_recepcion_dt=fecha_recepcion_dt,
  File "<string>", line 11, in __init__
  File "cl_sii/rcv/data_models.py", line 189, in __post_init__
    cl_sii.dte.data_models.validate_contribuyente_razon_social(self.receptor_razon_social)
  File "cl_sii/dte/data_models.py", line 70, in validate_contribuyente_razon_social
    raise ValueError("Value must not have leading or trailing whitespace.")

Deserialized data to data model instance conversion failed (probably a programming error).

For a "cesión"'s basic data.

Properties:

• natural_key
• alt_natural_key
• dte_natural_key
• dte_emisor_rut (analogous to dte.data_models.DteDataL1.vendedor_rut)
• dte_receptor_rut (analogous to dte.data_models.DteDataL1.comprador_rut)

We rely on function defusedxml.lxml.fromstring() for our function libs.xml_utils.parse_untrusted_xml(). What should we use instead?

DEPRECATED Example code for lxml.etree protection
The code has NO protection against decompression bombs.

Source

defusedxml.lxml
DEPRECATED The module is deprecated and will be removed in a future release.

Source

CC @jtrh

Alternatives

Perhaps there are others?

• defusedxml.ElementTree.fromstring
• defusedxml.cElementTree.fromstring

Source:

Formato Documentos Tributarios Electrónicos v2.2 - SII Chile, Section 2.2 "Detalle por Zona".

	Campos	[...]	Validación	[...]
124	Monto Total <MntTotal>	[...]	[...] En Liquidaciones-Factura, puede tomar valor negativo [...]	[...]

CVE-2021-3281
moderate severity
Vulnerable versions: >= 3.0, < 3.1.6
Patched version: 3.1.6
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.

CVE-2020-24583
high severity
Vulnerable versions: >= 3.0, < 3.0.10
Patched version: 3.0.10
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). FILE_UPLOAD_DIRECTORY_PERMISSIONS mode was not applied to intermediate-level directories created in the process of uploading files. It was also not applied to intermediate-level collected static directories when using the collectstatic management command.

CVE-2020-24584
high severity
Vulnerable versions: >= 3.0, < 3.0.10
Patched version: 3.0.10
An issue was discovered in Django 2.2 before 2.2.16, 3.0 before 3.0.10, and 3.1 before 3.1.1 (when Python 3.7+ is used). The intermediate-level directories of the filesystem cache had the system's standard umask rather than 0o077.

I would move the conversion of DteXmlData to a Pydantic Dataclass into a separate commit and/or pull request.

Originally posted by @jtrobles-cdd in #218 (comment)

The end of support date of Python 3.7 is 2023-06-27 (see PEP 537 → Lifespan).

Ref: https://cordada.aha.io/features/COMPCLDATA-219

The value 50000000 is the minimum RUT (digits) for a "Persona Jurídica", not for the whole range of RUT. See https://bakercapital.slack.com/archives/CS9G7SZBL/p1580307661000200

Also:

"un RUT sobre 50.000.000 corresponde a una persona jurídica".
No tenemos una fuente oficial para esa afirmación. Sin embargo la experiencia ha probado eso, y una página del BancoEstado dice lo mismo:
"Persona Jurídica es: “Persona ficticia, capaz de ejercer derechos y contraer obligaciones civiles, y de ser representada judicial y extrajudicialmente”. Además de esto, poseen Rut sobre 50 millones."
https://www.bancoestado.cl/imagenes/_microempresas/servicios/informacion-general.asp

https://docs.google.com/presentation/d/1QjjrBMpEoUQaOJXWSMqg9kDBeIUnb4-MOJP16IcBxo0/edit?disco=AAAAEIwVU4k

https://github.com/fyntex/lib-cl-sii-python/blob/c70feb2d32cd0e5bcb023289e9e3737398d3e9c9/cl_sii/rut/constants.py#L19-L20

More info:

• SII FAQ | ¿Para qué se utiliza la Liquidación Factura Electrónica?
• SII FAQ | ¿Qué son las Liquidaciones-Factura?
• SII FAQ | ¿Qué documentos tributarios deben emitir las partes involucradas en un contrato de consignación?

Registro de Liquidaciones y Liquidaciones Factura en IECV (antecesor RCV):

El comisionista o consignatario es el emisor del documento y deberá registrar en su
información electrónica de ventas la liquidación/liquidación factura que emita [...]

El mandante es quien recibe el documento y deberá registrarlo en su información
electrónica de ventas y, si se trata de una liquidación factura deberá registrarlo también en
la información electrónica de compras, por el crédito fiscal asociado a la comisión.

Source: SII Factura Electrónica | Ejemplos y Casos Especiales Registro Documentos en IECV y en Declaraciones Juradas 3327 y 3328

AttributeError: 'RFC822Name' object has no attribute 'type_id'
  File "cl_sii/rut/crypto_utils.py", line 36, in get_subject_rut_from_certificate_pfx
    results = [
  File "cl_sii/rut/crypto_utils.py", line 39, in <listcomp>
    if x.type_id == constants.SII_CERT_TITULAR_RUT_OID

Exception: Certificate has no RUT information
(28 additional frame(s) were not displayed)
...
  File "...", line 212, in ...
    ... = ...
  File "...", line 113, in ...
    ...
  File "...", line 303, in ...
    ... = ...
  File "...", line 325, in ...
    '...': cl_sii.rut.crypto_utils.get_subject_rut_from_certificate_pfx(
  File "cl_sii/rut/crypto_utils.py", line 42, in get_subject_rut_from_certificate_pfx
    raise Exception('Certificate has no RUT information')

The above problem is caused because the code of cl_sii.rut.crypto_utils.get_subject_rut_from_certificate_pfx(), when iterating subject_alt_name_ext.value._general_names, attempts to read the attribute type_id of an object that doesn't have it (<RFC822Name(value='****@****.**')>), and that throws an AttributeError. That could be fixed by replacing if x.type_id == constants.SII_CERT_TITULAR_RUT_OID with if hasattr(x, 'type_id') and x.type_id == constants.SII_CERT_TITULAR_RUT_OID.

I would also improve the handling of the AttributeError exception that wraps results = [...] because it's interpreting any AttributeError as Certificate has no RUT information, which hides the actual cause of the error in cases like the current one.

Content of subject_alt_name_ext:

<Extension(oid=<ObjectIdentifier(oid=2.5.29.17, name=subjectAltName)>, critical=False,
    value=<SubjectAlternativeName(
        <GeneralNames([
            <OtherName(type_id=<ObjectIdentifier(oid=1.3.6.1.4.1.8321.1, name=Unknown OID)>, value=b'\x16\n1*******-8')>,
            <OtherName(type_id=<ObjectIdentifier(oid=1.3.6.1.5.5.7.8.3, name=Unknown OID)>, value=b'0\x...\n1****-8\x...')>,
            <RFC822Name(value='****@****.**')>
        ])>
    )>
)>

Ref: #267
CC: @ycouce-cdd, @yrios-cdd

Code: https://github.com/fyntex/lib-cl-sii-python/blob/267c1a55423c7ed6ced718810bb4bd8164b65014/cl_sii/libs/io_utils.py#L61-L63

Test: https://github.com/fyntex/lib-cl-sii-python/blob/267c1a55423c7ed6ced718810bb4bd8164b65014/tests/test_libs_io_utils.py#L70-L73

This issue affects Python 3.7.2, but versions starting from 3.7.6 are not affected.

• Review the changelog of the library.
• Find out the status of the library's use of defusedxml.
  • XML-Security/signxml@83c05fb
• Update package version in:
  • setup.py
  • requirements/base.txt
• For each project of our organization that depends on cl-sii, create an issue to track the updating of its version of cl-sii to one that depends on the updated signxml.
  • https://github.com/fyntex/lib-cl-sii-api-python/issues/160
  • https://github.com/fyntex/fd-cl-data/issues/496

Can a RcRegistroDetalleEntry of a (non-electronic) factura (<RcvTipoDocto.FACTURA: 30>) have a blank (empty string) emisor razón social?

Sentry Issue: FD-CL-DATA-13E

ValueError: Value must not be empty.
  File "cl_sii/rcv/parse_csv.py", line 1175, in _parse_rcv_csv_file
    entry = input_csv_row_schema.to_detalle_entry(deserialized_row_data)
  File "cl_sii/rcv/parse_csv.py", line 784, in to_detalle_entry
    detalle_entry = RcRegistroDetalleEntry(
  File "<string>", line 12, in __init__
    from datetime import date, datetime
  File "cl_sii/rcv/data_models.py", line 281, in __post_init__
    cl_sii.dte.data_models.validate_contribuyente_razon_social(self.emisor_razon_social)
  File "cl_sii/dte/data_models.py", line 76, in validate_contribuyente_razon_social
    raise ValueError("Value must not be empty.")

Deserialized data to data model instance conversion failed (probably a programming error).

Pendulum: "Python datetimes made easy."

• https://github.com/sdispater/pendulum
• https://pendulum.eustace.io

The Open Source Insights page for each package shows the full dependency graph and updates it every day. The information provided can help you make informed decisions about using, building, and maintaining your software.

With Open Source Insights, you can actually see the dependency graph for a package, then isolate the paths to a particular dependency. Or see whether a vulnerability in a dependency might affect your code. Or compare two versions of a package to see how the dependencies have changed in a new release.

Open Source Insights page for PyPI package cl-sii: https://deps.dev/pypi/cl-sii

GHSA-5jqp-qgf6-3pvh

Element "Referencia" at DTE_v10.xsd:
https://github.com/cl-sii-extraoficial/archivos-oficiales/blob/99b15aff252836e1ac311d243636aa3a9e6b89c6/src/code/rtc/2019-12-12-schema_cesion/schema_cesion/DTE_v10.xsd#L1757-L1850

Ref: https://cordada.aha.io/features/COMPCLDATA-221

They seem to be pretty minor changes.

marshmallow-code/marshmallow@2.16.3...2.19.2

https://pypi.org/project/marshmallow/#history

Can a RvDetalleEntry of a (non-electronic) factura de exportación (<RcvTipoDocto.FACTURA_EXPORTACION: 101>) have a blank (empty string) receptor razón social?

Sentry Issue: FD-CL-DATA-13F

ValueError: Value must not be empty.
  File "cl_sii/rcv/parse_csv.py", line 1175, in _parse_rcv_csv_file
    entry = input_csv_row_schema.to_detalle_entry(deserialized_row_data)
  File "cl_sii/rcv/parse_csv.py", line 651, in to_detalle_entry
    detalle_entry = RvDetalleEntry(
  File "<string>", line 13, in __init__
    from typing import Optional
  File "cl_sii/rcv/data_models.py", line 244, in __post_init__
    cl_sii.dte.data_models.validate_contribuyente_razon_social(self.receptor_razon_social)
  File "cl_sii/dte/data_models.py", line 76, in validate_contribuyente_razon_social
    raise ValueError("Value must not be empty.")

Deserialized data to data model instance conversion failed (probably a programming error).

See LibreDTE's PHP class sasco\LibreDTE\FirmaElectronica with methods:

• open a PKCS #12 file (.pfx or .p12)
• getID: "Método que entrega el RUN/RUT asociado al certificado"
• get issuer
• get (subject's) name and email address
• get expiration, total duration, days until expiration, etc.
• extract private key
• extract certificate
• sign and signXML
• verify and verifyXML

Hi, in this library is available any method for check a bussiness information by RUT?

Problem 1

The schema validates SII Form 29 codes using a regex that matches strings with three digits. New information has shown that codes with four digits are possible.

Problem 2

If problem 1 is fixed, a new problem occurs: The value of the four-digit code 9906 is a date-formatted string ("22/01/2019"), but the data type specified by the SII in the datos object is number (N), not date (F), which causes an error when the code attempts to convert the string value to an integer: ValueError: invalid literal for int() with base 10: '22/01/2019'.

Example for Problems 1 and 2

{
  "campos": {
    "001": "D***",
    "...": "...",
    "596": "0",
    "9906": "22/01/2019"
  },
  "extras": {
    "ADM8703": "",
    "ADM8721": "",
    "BANCO": "",
    "CALIDADDECLARANTE": "Contribuyente",
    "CARTRIB": "1",
    "CLASE": "Rectificatoria con Giro",
    "CODINT": "59*****52",
    "COD_FORM": "F29",
    "DV_ORIGEN": "5",
    "FECHA_HOY": "17/01/2020",
    "FECHA_INGRESO": "22012019",
    "FOLIO": "67******56",
    "MEDIO_INGRESO": "INTERNET",
    "MEDIO_PAGO": "",
    "MOSTRAR_FOLIO": "1",
    "NOMBRES": "C******* *** C***** D*** Z*****",
    "NOMBRE_FUN": "  ",
    "OPCION": "VC",
    "PERIODO": "201812",
    "RUT_ORIGEN": "10****00",
    "TIPO_MOVIMIENTO": "5",
    "TOKEN": "VFC",
    "USUARIO": "0",
    "cant_anuladas": 1
  },
  "folioF": {
    "COD_9902_1": "67******46"
  },
  "glosa": {
    "001": "APELLIDO PATERNO O RAZÓN SOCIAL",
    "...": "...",
    "596": "RETENCION CAMBIO DE SUJETO",
    "9906": "FECHA PRESENTACION DECL. PRIMITIVA "
  },
  "justif": {
    "001": "I",
    "...": "...",
    "596": "D",
    "9906": "I"
  },
  "linea": {
    "001": "0",
    "...": "...",
    "596": "111",
    "9906": "118"
  },
  "tipos": {
    "001": "C",
    "...": "...",
    "596": "M",
    "9906": "N"
  }
}

Ref: Internal ID: a7de52c9-7bc4-4f53-8d06-8e7e2a36be8f

• https://github.com/fyntex/fynpal-v0/issues/1921
• https://github.com/fyntex/fynpal-v0/pull/1933
• https://github.com/fyntex/fynpal-v0/pull/1945
• https://github.com/fyntex/fynpal-v0/pull/1955
• https://github.com/fyntex/fynpal-v0/pull/1972

The DTE types that are "cedible" according to Formato Archivo Electrónico de Cesión (AEC) - SII Chile are:

Sólo códigos 33, 34, 46 y 43

Their constants from cl_sii.dte.constants are:

• TipoDteEnum.FACTURA_ELECTRONICA
• TipoDteEnum.FACTURA_NO_AFECTA_O_EXENTA_ELECTRONICA
• TipoDteEnum.FACTURA_COMPRA_ELECTRONICA
• TipoDteEnum.LIQUIDACION_FACTURA_ELECTRONICA

Use Cases

• Verification of SII AECs.

Ref: XML-Security/signxml#59

Even though it is assumed that a canonicalization algorithm is applied before performing the digital signature calculations of the XML, even if it is referenced in the SignedInfo element, it does not mean that it was necessarily applied. Unfortunately, the SII does not verify that the XML is in its canonical form, so it is common that several of the AECs accepted by the SII are not normalized (See discussion at #242).
For this reason, the signature verification algorithm will fail in those XMLs that, by canonicalizing them before verifying their signature, the normalization introduces changes that modify the content of the XML, e.g. documents containing empty-element tags

Related to #232

Ref: Aha! card