python.lang.security.use-defused-xml-parse.use-defused-xml-parse

profile photo of semgrepsemgrep
Author
unknown
Download Count*

The native Python xml library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service. Do not use this library to parse untrusted input. Instead the Python documentation recommends using defusedxml.

Run Locally

Run in CI

Defintion

rules:
  - id: use-defused-xml-parse
    metadata:
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      references:
        - https://docs.python.org/3/library/xml.html
        - https://github.com/tiran/defusedxml
        - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
      category: security
      technology:
        - python
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - XML Injection
    message: The native Python `xml` library is vulnerable to XML External Entity
      (XXE) attacks.  These attacks can leak confidential data and "XML bombs"
      can cause denial of service. Do not use this library to parse untrusted
      input. Instead  the Python documentation recommends using `defusedxml`.
    languages:
      - python
    severity: ERROR
    patterns:
      - pattern: xml.etree.ElementTree.parse($...ARGS)
      - pattern-not: xml.etree.ElementTree.parse("...")
    fix: defusedxml.etree.ElementTree.parse($...ARGS)

Examples

use-defused-xml-parse.py

def bad(input_string):
    # ok: use-defused-xml-parse
    import xml
    # ok: use-defused-xml-parse
    from xml.etree import ElementTree
    tree = ElementTree.parse('country_data.xml')
    root = tree.getroot()

    # ruleid: use-defused-xml-parse
    tree = ElementTree.parse(input_string)

def ok():
    # ok: use-defused-xml-parse
    import defusedxml
    # ok: use-defused-xml-parse
    from defusedxml.etree import ElementTree
    tree = ElementTree.parse('country_data.xml')
    root = tree.getroot()

    # ok: use-defused-xml-parse
    tree = ElementTree.parse(input_string)