Import of method(s) from
xml.etree detected BAN-B405Using xml.etree.ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
1import os
2import pickle
3import xml.etree.ElementTree as etree 4from io import StringIO
5
6try:
Description
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. The xml.etree.ElementTree module implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
- Billion Laughs attack - It is a type of denial-of-service attack aimed at parsers of XML documents. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars over and over again, parser gets overwhelmend.
- Quadratic blowup attack - It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again.
Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Bad practice
import xml.etree.ElementTree as ET # Insecure, import from xml.etree
tree = ET.parse('some_fie.xml')
Recommended
from defusedxml.ElementTree import parse
tree = parse('some_fie.xml')
References:
- xml.etree
- defusedxml
- XML vulnerabilities
- OWASP Top 10 2021 Category A03 - Injection
- OWASP Top 10 2021 Category A06 - Vulnerable and Outdated Components
- CWE-611