python.lang.security.use-defused-xml.use-defused-xml
Verifed by r2c
Community Favorite
semgrepAuthor
99,223
Download Count*
License
The Python documentation recommends using defusedxml instead of xml because the native Python xml library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service.
Run Locally
Run in CI
Defintion
rules:
- id: use-defused-xml
metadata:
owasp:
- A04:2017 - XML External Entities (XXE)
- A05:2021 - Security Misconfiguration
cwe:
- "CWE-611: Improper Restriction of XML External Entity Reference"
references:
- https://docs.python.org/3/library/xml.html
- https://github.com/tiran/defusedxml
- https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
category: security
technology:
- python
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- XML Injection
message: The Python documentation recommends using `defusedxml` instead of `xml`
because the native Python `xml` library is vulnerable to XML External
Entity (XXE) attacks. These attacks can leak confidential data and "XML
bombs" can cause denial of service.
languages:
- python
severity: ERROR
pattern: import xml
Examples
use-defused-xml.py
def bad():
# ruleid: use-defused-xml
import xml
# ruleid: use-defused-xml
from xml.etree import ElementTree
tree = ElementTree.parse('country_data.xml')
root = tree.getroot()
def ok():
# ok: use-defused-xml
import defusedxml
# ok: use-defused-xml
from defusedxml.etree import ElementTree
tree = ElementTree.parse('country_data.xml')
root = tree.getroot()
Short Link: https://sg.run/kX47