Improper Restriction of XML External Entity Reference
Description
The application uses Python's default XML processors, which suffer from various XML parsing vulnerabilities. This could allow an adversary to cause a Denial of Service (DoS) against the application parsing arbitrary XML. Consider using the defusedxml library when processing untrusted XML.
Examples
Insecure Code
python
xml.dom.expatreader.parse('inventory.xml')Secure Code
python
from defusedxml.ElementTree import parse
et = parse('inventory.xml')
root = et.getroot()Remediation
Use the defusedxml library to parse XML documents, as shown in the example: from defusedxml.ElementTree import parse
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0175 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | xml, xxe, injection |
| OWASP | A4:2017-XML External Entities (XXE), A03:2021-Injection |