XML internal entity expansion¶
ID: py/xml-bombKind: path-problemSecurity severity: 7.5Severity: warningPrecision: highTags: - security - external/cwe/cwe-776 - external/cwe/cwe-400Query suites: - python-code-scanning.qls - python-security-extended.qls - python-security-and-quality.qls
Click to see the query in the CodeQL repository
Parsing untrusted XML files with a weakly configured XML parser may be vulnerable to denial-of-service (DoS) attacks exploiting uncontrolled internal entity expansion.
In XML, so-calledinternal entities are a mechanism for introducing an abbreviation for a piece of text or part of a document. When a parser that has been configured to expand entities encounters a reference to an internal entity, it replaces the entity by the data it represents. The replacement text may itself contain other entity references, which are expanded recursively. This means that entity expansion can increase document size dramatically.
If untrusted XML is parsed with entity expansion enabled, a malicious attacker could submit a document that contains very deeply nested entity definitions, causing the parser to take a very long time or use large amounts of memory. This is sometimes called anXML bomb attack.
Recommendation¶
The safest way to prevent XML bomb attacks is to disable entity expansion when parsing untrusted data. Whether this can be done depends on the library being used. Note that some libraries, such aslxml, have measures enabled by default to prevent such DoS XML attacks, so unless you have explicitly sethuge_tree toTrue, no further action is needed.
We recommend using thedefusedxml PyPI package, which has been created to prevent XML attacks (both XXE and XML bombs).
Example¶
The following example uses thexml.etree XML parser provided by the Python standard library to parse a stringxml_src. That string is from an untrusted source, so this code is vulnerable to a DoS attack, since thexml.etree XML parser expands internal entities by default:
fromflaskimportFlask,requestimportxml.etree.ElementTreeasETapp=Flask(__name__)@app.post("/upload")defupload():xml_src=request.get_data()doc=ET.fromstring(xml_src)returnET.tostring(doc)
It is not possible to guard against internal entity expansion withxml.etree, so to guard against these attacks, the following example uses thedefusedxml PyPI package instead, which is not exposed to such internal entity expansion attacks.
fromflaskimportFlask,requestimportdefusedxml.ElementTreeasETapp=Flask(__name__)@app.post("/upload")defupload():xml_src=request.get_data()doc=ET.fromstring(xml_src)returnET.tostring(doc)
References¶
Wikipedia:Billion Laughs.
Bryan Sullivan:Security Briefs - XML Denial of Service Attacks and Defenses.
Python 3 standard library:XML Vulnerabilities.
Python 2 standard library:XML Vulnerabilities.
Common Weakness Enumeration:CWE-776.
Common Weakness Enumeration:CWE-400.