Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add linter for XML calls allowing external entities (including DTD) #26

Open
mschwager opened this issue Mar 19, 2020 · 0 comments
Open

Add linter for XML calls allowing external entities (including DTD) #26

mschwager opened this issue Mar 19, 2020 · 0 comments

Comments

@mschwager
Copy link
Contributor

Per the Python documentation:

Changed in version 3.7.1: The SAX parser no longer processes general external entities by default to increase security. Before, the parser created network connections to fetch remote files or loaded local files from the file system for DTD and entities. The feature can be enabled again with method setFeature() on the parser object and argument feature_external_ges.

We should look for explicit enabling of the following features:

Enabling these features allows for XML XXE including DTD retrieval. We should detect usage of these features.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mschwager