python.lang.security.use-defused-xmlrpc.use-defused-xmlrpc

Verifed by r2c
Community Favorite
profile photo of returntocorpreturntocorp
Author
99,207
Download Count*
LGPL Commons Clause
License

Detected use of xmlrpc. xmlrpc is not inherently safe from vulnerabilities. Use defusedxml.xmlrpc instead.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: use-defused-xmlrpc
    pattern-either:
      - pattern: import xmlrpclib
      - pattern: import SimpleXMLRPCServer
      - pattern: import xmlrpc
    message: Detected use of xmlrpc. xmlrpc is not inherently safe from
      vulnerabilities. Use defusedxml.xmlrpc instead.
    metadata:
      cwe:
        - "CWE-776: Improper Restriction of Recursive Entity References in DTDs
          ('XML Entity Expansion')"
      owasp:
        - A04:2017 - XML External Entities (XXE)
        - A05:2021 - Security Misconfiguration
      source-rule-url: https://github.com/PyCQA/bandit/blob/07f84cb5f5e7c1055e6feaa0fe93afa471de0ac3/bandit/blacklists/imports.py#L160
      references:
        - https://pypi.org/project/defusedxml/
        - https://docs.python.org/3/library/xml.html#xml-vulnerabilities
      category: security
      technology:
        - python
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    severity: ERROR
    languages:
      - python

Examples

use-defused-xmlrpc.py

# ruleid:use-defused-xmlrpc
import xmlrpclib
# ruleid:use-defused-xmlrpc
import SimpleXMLRPCServer
# ruleid:use-defused-xmlrpc
import xmlrpc.server

# ok:use-defused-xmlrpc
import defusedxml.xmlrpc.server