Disable entities while parsing XML #1

jorgectf · 2021-08-25T15:10:23Z

If an attacker supplies a url returning malicious XML content, they may be able to leak internal information such as files, and/or cause a denial of service.

Entrypoint:

digger/remove_leading_place.py

Line 15 in 399d0d5

url = request.args.get('url')

Getting into ocr_to_dict:

digger/remove_leading_place.py

Line 25 in 399d0d5

parsed_text = ocr_to_dict(url)

User-controlled URL request:

digger/remove_leading_place.py

Line 42 in 399d0d5

req = requests.get(url)

Vulnerable parser declaration:

digger/remove_leading_place.py

Lines 45 to 47 in 399d0d5

    
           parser = lxml.etree.XMLParser(ns_clean=True, 
        
                                         recover=True, 
        
                                         encoding='utf-8')

Sink:

digger/remove_leading_place.py

Line 49 in 399d0d5

xml = lxml.etree.fromstring(text, parser=parser)

More information:

Disable entities while parsing XML

6697d12

jorgectf mentioned this pull request Aug 25, 2021

[Python]: CWE-611: XXE github/securitylab#424

Closed

1 task

WillemJan merged commit e88008d into KBNLresearch:master Aug 25, 2021

jorgectf deleted the fix-xxe branch August 26, 2021 21:09

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Disable entities while parsing XML #1

Disable entities while parsing XML #1

jorgectf commented Aug 25, 2021 •

edited

Loading

	parser = lxml.etree.XMLParser(ns_clean=True,
	recover=True,
	encoding='utf-8')

Disable entities while parsing XML #1

Disable entities while parsing XML #1

Conversation

jorgectf commented Aug 25, 2021 • edited Loading

jorgectf commented Aug 25, 2021 •

edited

Loading