Use Safe Parsers in lxml Parsing Functions

[pixeeai]

This codemod sets the parser parameter in calls to lxml.etree.parse and lxml.etree.fromstring if omitted or set to None (the default value). Unfortunately, the default parser=None means lxml will rely on an unsafe parser, making your code potentially vulnerable to entity expansion attacks and external entity (XXE) attacks.

The changes look as follows:

  import lxml.etree
- lxml.etree.parse("path_to_file")
- lxml.etree.fromstring("xml_str")
+ lxml.etree.parse("path_to_file", parser=lxml.etree.XMLParser(resolve_entities=False))
+ lxml.etree.fromstring("xml_str", parser=lxml.etree.XMLParser(resolve_entities=False))

More reading

• https://lxml.de/apidoc/lxml.etree.html#lxml.etree.XMLParser
• https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
• https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html

Powered by: pixeebot (codemod ID: pixee:python/safe-lxml-parsing)

[pixeeai]

FYI - This change was autogenerated from a GitHub app - called Pixeebot. A code-quality GitHub App; like Dependabot, but for source code. Feel free to check it our for more details for how you can install it onto your project's repo for continued code hardening and code security recommendations.

[pixeeai]

Any chance you've had the time to review these changes?

If you're not interested implementing them at this time, no worries. I can close the PR and follow up with additional changes in the future. Also, this plugin is free for non-commercial open sourced projects, so feel free to give it an install if you want to see the other recommended PRs.

Thanks,
Zach