Pattern: Use of insecure xml.etree.ElementTree module
Issue: -
This module is not secure against maliciously constructed data. Use defusedxml package instead.
The results of an attack on a vulnerable XML library can be fairly dramatic. With just a few hundred Bytes of XML data an attacker can occupy several Gigabytes of memory within seconds. An attacker can also keep CPUs busy for a long time with a small to medium size request. Under some circumstances it is even possible to access local files on your server, to circumvent a firewall, or to abuse services to rebound attacks to third parties.
This rule checks for the following calls:
xml.etree.ElementTree.parsexml.etree.ElementTree.iterparsexml.etree.ElementTree.fromstringxml.etree.ElementTree.XMLParser
Example of insecure code:
import xml.etree.ElementTree as badET
xmlString = "<note>malicious data</note>"
tree = badET.fromstring(xmlString)
print(tree)
badET.parse('filethatdoesntexist.xml')
badET.iterparse('filethatdoesntexist.xml')
result = badET.XMLParser()Example of secure code:
import defusedxml.ElementTree as goodET
xmlString = "<note>malicious data</note>"
tree = goodET.fromstring(xmlString)
print(tree)
goodET.parse('filethatdoesntexist.xml')
goodET.iterparse('filethatdoesntexist.xml')
result = goodET.XMLParser()