Usage of vulnerable XML libraries

• Rule ID: python_lang_xml_external_entity_vulnerability
• Languages: python
• Source: xml_external_entity_vulnerability.yml

Description

Certain XML parsers - like xml.sax and pulldom - are known to be vulnerable to XML parsing attacks such as Billion Laughs (exponential entity expansion). These parsers should be avoided. Avoid such vulnerable libraries, and as an additional precaution, use something like defusedxml to further mitigate XML vulnerabilities in Python.

Remediations

• Do not use XML parsers that are known to be vulnerable to external entity attacks.
• Do exercise caution when parsing XML and always ensure parser input is sufficiently validated and sanitized.

References

• Python XML parsers and their vulnerabilities
• The defusexml package
• OWASP XML External Entity (XXE) prevention cheat sheet

Associated CWE

• CWE-611: Improper Restriction of XML External Entity Reference

OWASP Top 10

• A05:2021 - Security Misconfiguration

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=python_lang_xml_external_entity_vulnerability

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=python_lang_xml_external_entity_vulnerability