python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc

Verifed by r2c
Community Favorite
profile photo of semgrepsemgrep
Author
99,207
Download Count*

Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.

Run Locally

Run in CI

Defintion

rules:
  - id: use-defused-xmlrpc
    pattern-either:
      - pattern: import xmlrpclib
      - pattern: import SimpleXMLRPCServer
      - pattern: import xmlrpc
    message: Detected use of xmlrpc. xmlrpc is not inherently safe from
      vulnerabilities. Use defusedxml.xmlrpc instead.
    metadata:
      cwe:
        - "CWE-776: Improper Restriction of Recursive Entity References in DTDs
          ('XML Entity Expansion')"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      source-rule-url: https://github.com/PyCQA/bandit/blob/07f84cb5f5e7c1055e6feaa0fe93afa471de0ac3/bandit/blacklists/imports.py#L160
      references:
        - https://pypi.org/project/defusedxml/
        - https://docs.python.org/3/library/xml.html#xml-vulnerabilities
      category: security
      technology:
        - python
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - XML Injection
    severity: ERROR
    languages:
      - python

Examples

use-defused-xmlrpc.py

# ruleid:use-defused-xmlrpc
import xmlrpclib
# ruleid:use-defused-xmlrpc
import SimpleXMLRPCServer
# ruleid:use-defused-xmlrpc
import xmlrpc.server

# ok:use-defused-xmlrpc
import defusedxml.xmlrpc.server