xml.etree
detected BAN-B405 1import os
2import pickle
3import xml.etree.ElementTree as etree 4from io import StringIO
5
6try:
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. The xml.etree.ElementTree module implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib()
is called.
import xml.etree.ElementTree as ET # Insecure, import from xml.etree
tree = ET.parse('some_fie.xml')
from defusedxml.ElementTree import parse
tree = parse('some_fie.xml')