XML Processing Modules¶
Source code:Lib/xml/
Python’s interfaces for processing XML are grouped in thexml package.
Note
If you need to parse untrusted or unauthenticated data, seeXML security.
It is important to note that modules in thexml package require thatthere be at least one SAX-compliant XML parser available. The Expat parser isincluded with Python, so thexml.parsers.expat module will always beavailable.
The documentation for thexml.dom andxml.sax packages are thedefinition of the Python bindings for the DOM and SAX interfaces.
The XML handling submodules are:
xml.etree.ElementTree: the ElementTree API, a simple and lightweightXML processor
xml.dom: the DOM API definitionxml.dom.minidom: a minimal DOM implementationxml.dom.pulldom: support for building partial DOM trees
xml.sax: SAX2 base classes and convenience functionsxml.parsers.expat: the Expat parser binding
XML security¶
An attacker can abuse XML features to carry out denial of service attacks,access local files, generate network connections to other machines, orcircumvent firewalls when attacker-controlled XML is being parsed,in Python or elsewhere.
The built-in XML parsers of Python rely on the librarylibexpat, commonlycalled Expat, for parsing XML.
By default, Expat itself does not access local files or create networkconnections.
Expat versions lower than 2.7.2 may be vulnerable to the “billion laughs”,“quadratic blowup” and “large tokens” vulnerabilities, or to disproportionaluse of dynamic memory.Python bundles a copy of Expat, and whether Python uses the bundled or asystem-wide Expat, depends on how the Python interpreterhasbeenconfigured in your environment.Python may be vulnerable if it uses such older versions of Expat.Checkpyexpat.EXPAT_VERSION.
xmlrpc isvulnerable to the “decompression bomb” attack.
- billion laughs / exponential entity expansion
TheBillion Laughs attack – also known as exponential entity expansion –uses multiple levels of nested entities. Each entity refers to another entityseveral times, and the final entity definition contains a small string.The exponential expansion results in several gigabytes of text andconsumes lots of memory and CPU time.
- quadratic blowup entity expansion
A quadratic blowup attack is similar to aBillion Laughs attack; it abusesentity expansion, too. Instead of nested entities it repeats one large entitywith a couple of thousand chars over and over again. The attack isn’t asefficient as the exponential case but it avoids triggering parser countermeasuresthat forbid deeply nested entities.
- decompression bomb
Decompression bombs (akaZIP bomb) apply to all XML librariesthat can parse compressed XML streams such as gzipped HTTP streams orLZMA-compressedfiles. For an attacker it can reduce the amount of transmitted data by threemagnitudes or more.
- large tokens
Expat needs to re-parse unfinished tokens; without the protectionintroduced in Expat 2.6.0, this can lead to quadratic runtime that canbe used to cause denial of service in the application parsing XML.The issue is known asCVE 2023-52425.