使用xml.dom.minidom在Python中进行XML注入
[英]XML injections in Python using xml.dom.minidom
问题描述
I scanned Python source code using AppScan and it says that the code contains potential vulnerabilities (XML Injection). 
我使用AppScan扫描了Python源代码,它说该代码包含潜在的漏洞(XML注入)。 For example: 例如:
import xml.dom.minidom
...
dom = xml.dom.minidom.parse(filename)
...
document = xml.dom.minidom.parseString(xmlStr)
...
I installed the defusedxml and replaced all parsings where use the standard Python xml package with parse/parseString from defusedxml.minidom & defusedxml.cElementTree: 我安装了defusedxml,并使用来自defusedxml.minidom和defusedxml.cElementTree的parse / parseString替换了使用标准Python xml包的所有解析:
import defusedxml.minidom
...
dom = defusedxml.minidom.parse(filename)
...
document = defusedxml.minidom.parseString(xmlStr)
...
These vulnerabilities are gone from scan report. 这些漏洞已从扫描报告中删除。 But AppScan still notify me about vulnerabilities where from standard xml package are importing any functions/classes. 但是AppScan仍会通知我有关漏洞,这些漏洞从标准xml包中导入了任何函数/类。 For example classes from ElementTree to modify/build xml tree: 例如ElementTree中用于修改/构建xml树的类:
from xml.etree.cElementTree import ( # vulnerability here
SubElement, Element, ElementTree)
import defusedxml.cElementTree as et
...
template = et.parse(template_filename) # safe parsing
root = template.getroot()
email_list_el = root.find('emails').find('list')
for email_address in to_list:
SubElement(email_list_el , 'string').text = email_address
root.find('subject')[0].text = subject
root.find('body')[0].text = body
...
Can this be considered a vulnerability if xml.dom.minidom is used only for writing XML? 如果xml.dom.minidom仅用于编写XML,可以将其视为漏洞吗?
1 个解决方案
解决方案1
0 2019-02-08 12:03:08
ElementTree is not secured against maliciously constructed data. ElementTree不能防止恶意构建的数据。 See list of vulnerabilities . 请参阅漏洞列表 。 Consider using defusedxml instead. 考虑改用defusedxml 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.