Improper Restriction of XML External Entity Reference
Description
The application uses the `xml.sax` package for processing XML, which suffers from various XML parsing vulnerabilities, including Billion Laughs and Quadratic Blowup entity expansion attacks. These vulnerabilities can allow an adversary to cause a Denial of Service (DoS) against the application parsing arbitrary XML.
Examples
Insecure Code
python
import xml.sax
xml.sax.parse('inventory.xml')Secure Code
python
from defusedxml.ElementTree import parse
et = parse('inventory.xml')Remediation
Use the `defusedxml` library when processing untrusted XML. Replace `xml.sax.parse()` with `defusedxml.ElementTree.parse()` and `xml.sax.parseString()` with `defusedxml.ElementTree.fromstring()`
Rule Details
| Field | Value |
|---|---|
| ID | CODE-0178 |
| Category | Injection |
| Severity | MEDIUM |
| CWE | CWE-611 |
| Confidence | HIGH |
| Impact | HIGH |
| Likelihood | MEDIUM |
| Exploitability | MODERATE |
| Tags | XML External Entity, XXE, Denial of Service |
| OWASP | A4:2017-XML External Entities (XXE), A03:2021-Injection |