Use of an insecure method from
xml.etree.ElementTree detected BAN-B314Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
106 keys = []
107 keys_to_ruleelement = {}
108 try :
109 tree = et.parse(path) 110 except et.ParseError as e:
111 sys.stderr.write("[ERROR] {}: {}\n".format(path, e))
112 return keys, keys_to_ruleelement
Description
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml equivalents.
The xml.etree.ElementTree module implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
- Billion Laughs attack: It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed.
- Quadratic blowup attack: It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly.
Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Bad practice
import xml.etree.ElementTree as ET
tree = ET.parse('some_fie.xml') # Use of method from etree.ElementTree
Recommended
from defusedxml.ElementTree import parse
tree = parse('some_fie.xml')
References:
- xml.etree
- defusedxml
- XML vulnerabilities
- OWASP Top 10 2021 Category A03 - Injection
- OWASP Top 10 2021 Category A06 - Vulnerable and Outdated Components
- CWE-611