python.lang.security.use-defused-xml.use-defused-xml

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
99,223
Download Count*

The Python documentation recommends using defusedxml instead of xml because the native Python xml library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service.

Run Locally

Run in CI

Defintion

rules:
  - id: use-defused-xml
    metadata:
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      cwe:
        - "CWE-611: Improper Restriction of XML External Entity Reference"
      references:
        - https://docs.python.org/3/library/xml.html
        - https://github.com/tiran/defusedxml
        - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
      category: security
      technology:
        - python
      cwe2022-top25: true
      cwe2021-top25: true
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    message: The Python documentation recommends using `defusedxml` instead of `xml`
      because the native Python `xml` library is vulnerable to XML External
      Entity (XXE) attacks. These attacks can leak confidential data and "XML
      bombs" can cause denial of service.
    languages:
      - python
    severity: ERROR
    pattern: import xml

Examples

use-defused-xml.py

def bad():
    # ruleid: use-defused-xml
    import xml
    # ruleid: use-defused-xml
    from xml.etree import ElementTree
    tree = ElementTree.parse('country_data.xml')
    root = tree.getroot()

def ok():
    # ok: use-defused-xml
    import defusedxml
    # ok: use-defused-xml
    from defusedxml.etree import ElementTree
    tree = ElementTree.parse('country_data.xml')
    root = tree.getroot()