Skip to content

Commit 21da603

Browse files
committed
Update .qlref
1 parent 48bca5b commit 21da603

1 file changed

Lines changed: 5 additions & 7 deletions

File tree

  • python/ql/src/experimental/Security/CWE-611

python/ql/src/experimental/Security/CWE-611/XXE.qlref

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -12,18 +12,16 @@ data retrieval techniques may allow attackers to steal sensitive data. Denial of
1212
in this situation.
1313
</p>
1414
<p>
15-
There are many XML parsers for Python, and most of them are vulnerable to XXE because their default settings enable
16-
parsing of external entities. This query currently identifies vulnerable XML parsing from the following parsers:
17-
<code>xml.etree.ElementTree.XMLParser</code>, <code>lxml.etree.XMLParser</code>, <code>lxml.etree.get_default_parser</code>,
18-
<code>xml.sax.make_parser</code>.
15+
Refer to the following links to check the details regarding how and which libraries are vulnerable:
16+
<li><a href="https://docs.python.org/3/library/xml.html#xml-vulnerabilities">Python 3</a>.</li>
17+
<li><a href="https://docs.python.org/2/library/xml.html#xml-vulnerabilities">Python 2</a>.</li>
1918
</p>
2019
</overview>
2120

2221
<recommendation>
2322
<p>
24-
The best way to prevent XXE attacks is to disable the parsing of any Document Type Declarations (DTDs) in untrusted data.
25-
If this is not possible you should disable the parsing of external general entities and external parameter entities.
26-
This improves security but the code will still be at risk of denial of service and server side request forgery attacks.
23+
Use <a href="https://docs.python.org/3/library/xml.html#the-defusedxml-package">defusedxml</a>, a Python package aimed
24+
to prevent any potentially malicious operation.
2725
</p>
2826
</recommendation>
2927

0 commit comments

Comments
 (0)