Skip to content
This repository has been archived by the owner on Oct 6, 2020. It is now read-only.

Add linter for insecure defusedxml use #5

Closed
mschwager opened this issue May 22, 2019 · 0 comments
Closed

Add linter for insecure defusedxml use #5

mschwager opened this issue May 22, 2019 · 0 comments

Comments

@mschwager
Copy link
Collaborator

Some good heuristics to start:

  • defusedxml.lxml.fromstring with forbid_dtd, forbid_entities, forbid_external turned off (forbid_dtd is off by default)
  • defusedxml.lxml.iterparse with ...
  • defusedxml.lxml.parse with ...
  • Anything similar we can find in xmlsec

I would say we're mostly there to include this via BadKwargUseLinter. However, I think we need to improve our import detection before we can include this rule (e.g. #1, #2). I say this because of two reasons:

  1. forbid_dtd is off by default, so we'll be checking for a lack of this kwarg specification.
  2. parse is a common enough function name.

So, if we don't have confidence that a parse call cooresponds to defusedxml.lxml.parse, and we're simply checking for a lack of forbid_dtd, I believe we'll encounter lots of false positives.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant