Python Xxe Via Resolve Entities
Description
The detector identifies XML External Entity (XXE) vulnerabilities in Python code using etree.XMLParser. This security weakness occurs when XML parsers are configured to resolve external entities, which could lead to information disclosure, denial of service, or server-side request forgery attacks through maliciously crafted XML input.
Detection Strategy
• Identifies calls to etree.XMLParser constructor in Python code
• Checks if the parser is created without explicitly setting resolve_entities=False
• Reports a vulnerability when the XMLParser is instantiated with default settings or resolve_entities=True
• Analyzes the configuration parameters passed to XMLParser to determine if external entity resolution is enabled
Vulnerable code example
from lxml import etree
# Vulnerable: XMLParser with default resolve_entities=True allows XXE attacks
parser = etree.XMLParser()
# Also vulnerable: explicitly enabling entity resolution
parser_unsafe = etree.XMLParser(resolve_entities=True)✅ Secure code example
from lxml import etree
# Safe: Explicitly disable entity resolution to prevent XXE attacks
parser = etree.XMLParser(resolve_entities=False)
# Create parser with additional security settings
parser_safe = etree.XMLParser(
resolve_entities=False, # Prevents XXE attacks by disabling external entity resolution...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.