XML injections in Python using xml.dom.minidom
Question
I scanned Python source code using AppScan and it says that the code contains potential vulnerabilities (XML Injection). For example:
import xml.dom.minidom
...
dom = xml.dom.minidom.parse(filename)
...
document = xml.dom.minidom.parseString(xmlStr)
...
I installed the defusedxml and replaced all parsings where use the standard Python xml package with parse/parseString from defusedxml.minidom & defusedxml.cElementTree:
import defusedxml.minidom
...
dom = defusedxml.minidom.parse(filename)
...
document = defusedxml.minidom.parseString(xmlStr)
...
These vulnerabilities are gone from scan report. But AppScan still notify me about vulnerabilities where from standard xml package are importing any functions/classes. For example classes from ElementTree to modify/build xml tree:
from xml.etree.cElementTree import ( # vulnerability here
SubElement, Element, ElementTree)
import defusedxml.cElementTree as et
...
template = et.parse(template_filename) # safe parsing
root = template.getroot()
email_list_el = root.find('emails').find('list')
for email_address in to_list:
SubElement(email_list_el , 'string').text = email_address
root.find('subject')[0].text = subject
root.find('body')[0].text = body
...
Can this be considered a vulnerability if xml.dom.minidom is used only for writing XML?
1 answers
solution1
0 2019-02-08 12:03:08
ElementTree is not secured against maliciously constructed data. See list of vulnerabilities . Consider using defusedxml instead.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.