Skip to content

Commit 0d2646f

Browse files
committed
Polish documentation
1 parent 068150b commit 0d2646f

3 files changed

Lines changed: 62 additions & 0 deletions

File tree

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
from flask import request, Flask
2+
import lxml.etree
3+
import xml.etree.ElementTree
4+
5+
6+
@app.route("/example")
7+
def example():
8+
xml_content = request.args['xml_content']
9+
10+
parser = lxml.etree.XMLParser()
11+
parsed_xml = xml.etree.ElementTree.fromstring(xml_content, parser=parser)
12+
13+
return parsed_xml.text

python/ql/src/experimental/Security/CWE-611/XXE.ql

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,8 @@
66
* @id py/xxe
77
* @tags security
88
* external/cwe/cwe-611
9+
* external/cwe/cwe-776
10+
* external/cwe/cwe-827
911
*/
1012

1113
// determine precision above
Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
6+
<overview>
7+
<p>
8+
Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack.
9+
This type of attack uses external entity references to access arbitrary files on a system, carry out denial of
10+
service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band
11+
data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out
12+
in this situation.
13+
</p>
14+
<p>
15+
There are many XML parsers for Python, and most of them are vulnerable to XXE because their default settings enable
16+
parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers:
17+
<code>xml.etree.ElementTree.XMLParser</code>, <code>lxml.etree.XMLParser</code>, <code>lxml.etree.get_default_parser</code>,
18+
<code>xml.sax.make_parser</code>.
19+
</p>
20+
</overview>
21+
22+
<recommendation>
23+
<p>
24+
The best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data.
25+
If this is not possible you should disable the parsing of external general entities and external parameter entities.
26+
This improves security but the code will still be at risk of denial of service and server side request forgery attacks.
27+
</p>
28+
</recommendation>
29+
30+
<example>
31+
<p>
32+
The following example calls <code>xml.etree.ElementTree.fromstring</code> using a parser (<code>lxml.etree.XMLParser</code>)
33+
that is not safely configured on untrusted data, and is therefore inherently unsafe.
34+
</p>
35+
<sample src="XXE.py"/>
36+
</example>
37+
38+
<references>
39+
<li>Python <a href="https://www.edureka.co/blog/python-xml-parser-tutorial/">XML Parsing</a>.</li>
40+
<li>OWASP vulnerability description: <a href="https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing">XML External Entity (XXE) Processing</a>.</li>
41+
<li>OWASP guidance on parsing xml files: <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java">XXE Prevention Cheat Sheet</a>.</li>
42+
<li>Paper by Timothy Morgen: <a href="https://research.nccgroup.com/2014/05/19/xml-schema-dtd-and-entity-attacks-a-compendium-of-known-techniques/">XML Schema, DTD, and Entity Attacks</a></li>
43+
<li>Out-of-band data retrieval: Timur Yunusov &amp; Alexey Osipov, Black hat EU 2013: <a href="https://www.slideshare.net/qqlan/bh-ready-v4">XML Out-Of-Band Data Retrieval</a>.</li>
44+
<li>Denial of service attack (Billion laughs): <a href="https://en.wikipedia.org/wiki/Billion_laughs">Billion Laughs.</a></li>
45+
</references>
46+
47+
</qhelp>

0 commit comments

Comments
 (0)