xml.etree
detected BAN-B405 1from xml.etree.ElementTree import Element, SubElement, tostring 2
3from flask import url_for
4from sqlalchemy import asc
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. The xml.etree.ElementTree module implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib()
is called.
import xml.etree.ElementTree as ET # Insecure, import from xml.etree
tree = ET.parse('some_fie.xml')
from defusedxml.ElementTree import parse
tree = parse('some_fie.xml')