xml.etree.ElementTree
detected BAN-B314106 keys = []
107 keys_to_ruleelement = {}
108 try :
109 tree = et.parse(path) 110 except et.ParseError as e:
111 sys.stderr.write("[ERROR] {}: {}\n".format(path, e))
112 return keys, keys_to_ruleelement
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml
equivalents.
The xml.etree.ElementTree
module implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib()
is called.
import xml.etree.ElementTree as ET
tree = ET.parse('some_fie.xml') # Use of method from etree.ElementTree
from defusedxml.ElementTree import parse
tree = parse('some_fie.xml')