Import of method(s) from
xml.etree detected BAN-B405Using ElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace ElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
6@author: Vivekanand Koya
7"""
8
9from xml.etree import ElementTree 10import io
11import re
12import csv
Description
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. The xml.etree.ElementTree module implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
- Billion Laughs attack - It is a type of denial-of-service attack aimed at parsers of XML documents. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars over and over again, parser gets overwhelmend.
- Quadratic blowup attack - It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again.
Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Bad practice
import xml.etree.ElementTree as ET # Insecure, import from xml.etree
tree = ET.parse('some_fie.xml')
Recommended
from defusedxml.ElementTree import parse
tree = parse('some_fie.xml')
References:
- xml.etree
- defusedxml
- XML vulnerabilities
- OWASP Top 10 2021 Category A03 - Injection
- OWASP Top 10 2021 Category A06 - Vulnerable and Outdated Components
- CWE-611