Insecure Parser
ID |
python.insecure_parser |
Severity |
low |
Resource |
Misconfiguration |
Language |
Python |
Tags |
CWE:502, CWE:611, CWE:776, OWASP:2021:A5, OWASP:2021:A8, PCI-DSS:6.5.1 |
Description
Using an insecure parser may result in several vulnerabilities like XXE or code deserialization injection.
Rationale
Using insecure parsers can lead to various vulnerabilities, such as XML External Entity (XXE) attacks or arbitrary code execution, particularly when handling XML or YAML data.
These vulnerabilities arise when malicious content is processed without appropriate validation or configuration settings that disable dangerous features. Though the parser may appear secure while handling trusted data, there is a risk if the source of the data can change.
import xml.etree.ElementTree as ET
import yaml
# Example of potentially insecure XML parser usage
def parse_xml(xml_string):
tree = ET.ElementTree(ET.fromstring(xml_string))
return tree
# Example of potentially insecure YAML parser usage
def parse_yaml(yaml_string):
data = yaml.load(yaml_string, Loader=yaml.FullLoader)
return dataBoth of these examples can be vulnerable when exposed to untrusted inputs due to the possibility of XXE in XML or arbitrary code execution in YAML.
Remediation
To avoid vulnerabilities, configure parsers securely by using safe parsing methods. Here are recommended practices for XML and YAML parsing:
import xml.etree.ElementTree as ET
import yaml
# Secure XML parsing using defusedxml
from defusedxml.ElementTree import fromstring as defused_fromstring
def secure_parse_xml(xml_string):
# Use defusedxml to prevent XXE
tree = ET.ElementTree(defused_fromstring(xml_string))
return tree
# Secure YAML parsing using a safe loader
def secure_parse_yaml(yaml_string):
# Use safe_loader to prevent arbitrary code execution
data = yaml.safe_load(yaml_string)
return data