sdk/python/Deserialization/PyXmlSax

PyXmlSax

xml.sax is the stdlib SAX parser. By default it resolves external entities — XXE sink on untrusted XML. Disable with parser.setFeature(feature_external_ges, False) or use defusedxml.sax.

3 sinks

Taint flow0 sources → 3 sinks

Sinks — dangerous call

.parse()Parses XML with a SAX handler

.parseString()Parses XML from a string

.make_parser()Creates a SAX parser

Sinks

— dangerous functions taint must not reach

.parse()Sink

Signature

xml.sax.parse(source, handler, error_handler=...) -> None

Parses XML with a SAX handler. XXE sink by default.

tracks:0

.parseString()Sink

Signature

xml.sax.parseString(string, handler, error_handler=...) -> None

Parses XML from a string. XXE sink.

tracks:0

.make_parser()Sink

Signature

xml.sax.make_parser(parser_list=()) -> XMLReader

Creates a SAX parser. XXE-prone unless external entities are disabled.

Fully-Qualified Names

FQN	Field
xml.sax	fqns[0]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyXmlSax

← PreviousPyXmlEtree

Next →PyXmlrpc