Use Safe Parsers in lxml Parsing Functions

[pixeeai]

This codemod sets the parser parameter in calls to lxml.etree.parse and lxml.etree.fromstring if omitted or set to None (the default value). Unfortunately, the default parser=None means lxml will rely on an unsafe parser, making your code potentially vulnerable to entity expansion attacks and external entity (XXE) attacks.

The changes look as follows:

  import lxml.etree
- lxml.etree.parse("path_to_file")
- lxml.etree.fromstring("xml_str")
+ lxml.etree.parse("path_to_file", parser=lxml.etree.XMLParser(resolve_entities=False))
+ lxml.etree.fromstring("xml_str", parser=lxml.etree.XMLParser(resolve_entities=False))

More reading

• https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XMLParser
• https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
• https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Powered by: pixeebot (codemod ID: pixee:python/safe-lxml-parsing)

[pixeeai]

FYI - This change was autogenerated from a GitHub app - called Pixeebot. A code-quality GitHub App; like Dependabot, but for source code. Feel free to check it our for more details for how you can install it onto your project's repo for continued code hardening and code security recommendations.