LeapFix

Home

📜 XML External Entities (XXE)

Severity: Medium
Score: 6.5
Accurracy: 30% Confirmed
Language: Python
CVSS v3.1: /AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Potential XXE vulnerability detected. Ensure that XML parsers are configured to disable external entity processing. XXE vulnerabilities occur when XML input containing external entities is processed by the application, potentially leading to data exposure or denial of service

👾 Vulnerable Code

📋 Copy 
import xml.etree.ElementTree as ET
from flask import Flask, request, jsonify

app = Flask(__name__)

@app.route('/parse', methods=['POST'])
def parse_xml():
    # Vulnerable Code
    # This code parses XML without disabling external entities, allowing potential XXE attacks.
    xml_data = request.data
    try:
        root = ET.fromstring(xml_data)
        return jsonify({"message": "XML parsed successfully"})
    except ET.ParseError as e:
        return jsonify({"error": str(e)}), 400

if __name__ == '__main__':
    app.run()


This example "how to fix your code!"
Ensure that XML parsers are configured securely. Note that in the code example we disable entities for XML processing: parser = ET.XMLParser(resolve_entities=False)
This is just example:

🛠️ How to fix

📋 Copy 
import xml.etree.ElementTree as ET
from flask import Flask, request, jsonify
import io

app = Flask(__name__)

# Function to parse XML safely
def safe_parse_xml(xml_data):
    parser = ET.XMLParser(resolve_entities=False)
    return ET.parse(io.BytesIO(xml_data), parser=parser)

@app.route('/parse', methods=['POST'])
def parse_xml():
    # Secure Code
    # This code parses XML safely by disabling the resolution of external entities.
    xml_data = request.data
    try:
        tree = safe_parse_xml(xml_data)
        return jsonify({"message": "XML parsed successfully"})
    except ET.ParseError as e:
        return jsonify({"error": str(e)}), 400

if __name__ == '__main__':
    app.run()