Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why is xml.etree.ElementTree considered insecure?

Tags:

python

security

xml

elementtree

According to Creating a simple XML file using python, one of the simplest ways to generate an XML file in Python is to use Python's built-in ElementTree XML API.

However, the Python 3 documentation includes the following warning:

Warning: The xml.etree.ElementTree module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.

I had planned on using the ElementTree library to construct XML requests with user-inputted attribute values. However, I am now concerned about the security of my application.

For example, my application has a logon() function with arguments for a user-inputted username and password. These values are then used as XML attributes.

import xml.etree.ElementTree as ET

def logon(username, password):
    # Create XML logon request for external webservice
    root = ET.Element("xml")
    body = ET.SubElement(root, "Logon")
    body.set("Username", username)
    body.set("Password", password)

    return ET.tostring(root, encoding="UTF-8", method="xml")

Why is xml.etree.ElementTree considered insecure? Is it safe to use with user-defined XML attribute values?

like image 893
Stevoisiak Avatar asked Aug 31 '25 17:08

Stevoisiak

1 Answers

According to the section 20.4.1. XML vulnerabilities of the Python documentation, xml.etree.ElementTree is vulnerable to the Billion Laughs attack and to the quadratic blowup attack.

billion laughs / exponential entity expansion

The Billion Laughs attack – also known as exponential entity expansion – uses multiple levels of nested entities. Each entity refers to another entity several times, and the final entity definition contains a small string. The exponential expansion results in several gigabytes of text and consumes lots of memory and CPU time.

quadratic blowup entity expansion

A quadratic blowup attack is similar to a Billion Laughs attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again. The attack isn’t as efficient as the exponential case but it avoids triggering parser countermeasures that forbid deeply-nested entities.

As long as you don't parse maliciously crafted XML, you are safe.

like image 118
Ortomala Lokni Avatar answered Sep 02 '25 06:09

Ortomala Lokni
Sign in to Comment

Related questions

Async queue of tasks without a await
Combining sparse and einsum to perform large sparse sum
Which is quicker at fetching a result given an search in python. A list of dicts or a pandas dataframe?
Pip says it installs mysqlclient successfully, but cannot find it or uninstall it
How to fix error while installation of chatterbot? c1xx: fatal error C1083: Cannot open source file: 'preshed/maps.cpp': No such file or directory
AttributeError: 'Adam' object has no attribute 'build' during unpickling
Count number of zeros after last non-zero value per row
django.db.utils.NotSupportedError: PostgreSQL 12 or later is required (found 11.19)
Streamlit: Why does updating the session_state with form data require submitting the form twice?
Unable to obtain chromedriver.exe using Selenium Manager
Plotly figure not rendering in ipywidgets interact function (Google Colab)
how to access and print the multiple values of a key in python?
Call and execute an r script from Python
How to install and use both python 3.8 and 3.7 on windows 10
ValueError: install DBtypes to use this function
Index Pandas Dataframe mixing row number and column name
Makefile for python scripts
How to unbatch a Tensorflow 2.0 Dataset
How to make Shadow Mapping?
How do I add these tiny dots at the end of line plots in matplotlib?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!