Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

B314 since Python 3.6 is not valid #1074

Open
CyberKatze opened this issue Dec 4, 2023 · 5 comments
Open

B314 since Python 3.6 is not valid #1074

CyberKatze opened this issue Dec 4, 2023 · 5 comments
Labels
bug Something isn't working

Comments

@CyberKatze
Copy link

CyberKatze commented Dec 4, 2023
edited
Loading

Describe the bug

I checked the python module xml processing and the vulns that bandit report is no longer there. maybe you should remove it:

Reproduction steps

  1. Using xml.etree
import xml.etree.ElementTree as ET
import xml as xml

tree = ET.parse('country_data.xml')
print(tree.findtext('body'))

output:

>> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
   Severity: Medium   Confidence: High
   CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
   Location: main.py:5:7
4
5       tree = ET.parse('country_data.xml')
6       print(tree.findtext('body'))

Expected behavior

Maybe remove [B314] or explain your concern there.

Bandit version

1.7.5 (Default)

Python version

3.11

Additional context

No response
@CyberKatze CyberKatze added the bug Something isn't working label Dec 4, 2023
@ericwb
Copy link
Member

ericwb commented Dec 9, 2023

So after some digging on this topic. Seems Python has a vendored version of expat embedded. This is the default version (at least for macOS and Windows). However, it does seem permitted
to use an external system level version. So maybe there is still a window of vulnerability there? In any case, the latest minor versions of Python 3.8 to 3.12 all vendor expat 2.5.0 now.
So it might make sense to deprecate or remove this check.

@ericwb
Copy link
Member

ericwb commented Dec 9, 2023

To see the vendored version of expat embedded in Python you can browse to:
https://github.com/python/cpython/blob/3.8/Modules/expat/expat.h#L1056C20-L1056C20

At the bottom of this header file you'll find the expat major, minor, and micro version.

@ericwb
Copy link
Member

ericwb commented Dec 9, 2023
edited
Loading

However, I also found that the oldest version of Python 3.8, 3.8.0, which Bandit officially still supports does include an older, vulnerable version of expat 2.2.8:
https://github.com/python/cpython/blob/v3.8.0/Modules/expat/expat.h#L1016

The same can be found for Python 3.9.0:
https://github.com/python/cpython/blob/v3.9.0/Modules/expat/expat.h#L1016

Python 3.10.0 is the first minor version to have the fixed expat 2.4.1:
https://github.com/python/cpython/blob/v3.10.0/Modules/expat/expat.h#L1042

As such, we should leave this plugin check for xml.etree.ElementTree at least until 3.9.0
is end-of-life.

@ericwb
Copy link
Member

ericwb commented Dec 9, 2023

Expat 2.4.1 wasn't added to Python 3.8 till 3.8.12. Similar for 3.9, not until 3.9.7.

@CyberKatze
Copy link
Author

I also checked the latest patch for python 3.6 (3.6.15) and 3.7 (3.7.17), both are safe. only from (3.5 <=) latest patch didn't include the fix. I couldn't find their repo branches that I can refer to, but I just tested by running all possible 5 possible xml vulns.
might be useful to know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ericwb @CyberKatze