Improper Restriction of XML External Entity Reference
Description
The application uses the `xml.dom.expatbuilder` which calls the `xml.dom.minidom` package for processing XML. Python's default XML processors suffer from various XML parsing vulnerabilities and care must be taken when handling XML data. Depending on the version of Python, more critical vulnerabilities such as eXternal XML Entity injection may be exploitable.
Examples
Insecure Code
python
xml.dom.expatbuilder.parse(...)Secure Code
python
from defusedxml.ElementTree import parse
et = parse('inventory.xml')
root = et.getroot()Remediation
Use the defusedxml library when processing untrusted XML. Example: `from defusedxml.ElementTree import parse`
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0174 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | xml, xxe, injection |
| OWASP | A4:2017-XML External Entities (XXE), A03:2021-Injection |