sdk/python/Deserialization/PyXmlEtree

PyXmlEtree

xml.etree.ElementTree is the stdlib XML parser. The C-accelerated parser has some built-in protections but still processes external entities in some configurations — XXE sink. Prefer defusedxml for untrusted XML.

3 sinks

Taint flow0 sources → 3 sinks

Sinks — dangerous call

.parse()Parses an XML file

.fromstring()Parses XML from a string

.XMLParser()Custom parser

Sinks

— dangerous functions taint must not reach

.parse()Sink

Signature

xml.etree.ElementTree.parse(source, parser=None) -> ElementTree

Parses an XML file. XXE sink under certain Python versions / custom parsers.

tracks:0

.fromstring()Sink

Signature

xml.etree.ElementTree.fromstring(text, parser=None) -> Element

Parses XML from a string. Same XXE considerations as parse().

tracks:0

.XMLParser()Sink

Signature

xml.etree.ElementTree.XMLParser(*, target=None, encoding=None) -> XMLParser

Custom parser. Pair with untrusted input to produce XXE.

Fully-Qualified Names

FQN	Field
xml.etree.ElementTree	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyXmlEtree

← PreviousPyXmlDom

Next →PyXmlSax