Python
JavaScript
Java
Go
C#
Ansible
AWS CloudFormation Linter
C & C++
Dart Analyze
Docker
Kotlin
KubeLinter
PHP
Ruby
Rust
Scala
Secrets
Shell
Slither
Solhint
SQL
Swift
Terraform
Test coverageUse of an insecure method from `xml.etree.cElementTree` detectedBAN-B313
Major
Security cwe, a03, cwe-611, a06, sans-top-25, owasp-top-10
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml equivalents.
xml.etree.cElementTree is the C implementation of the xml.etree.cElementTree API.
It has been deprecated since version 3.3. Use of xml.etree.cElementTree in itself is insecure.
The xml.etree.ElementTree module implements a simple and efficient API for parsing and creating XML data. But it makes the application vulnerable to:
- Billion Laughs attack: It is a type of denial-of-service attack aimed at XML parsers. It uses multiple levels of nested entities. If one large entity is repeated with a couple of thousand chars repeatedly, the parser gets overwhelmed.
- Quadratic blowup attack: It is similar to a Billion Laughs attack. It abuses entity expansion, too. Instead of nested entities, it repeats one large entity with a couple of thousand chars repeatedly.
Replace vulnerable imports with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
Bad practice
import xml.etree.cElementTree as ET
tree = ET.parse('some_fie.xml') # Use of method from etree.cElementTree
Recommended
from defusedxml.ElementTree import parse
tree = parse('some_fie.xml')
References:
- xml.etree
- defusedxml
- XML vulnerabilities
- OWASP Top 10 2021 Category A03 - Injection
- OWASP Top 10 2021 Category A06 - Vulnerable and Outdated Components
- CWE-611