Consider using defusedxml instead of lxml.etree to avoid certain XML attacks.

[santosomar]

I ran a quick bandit scan against python-stix and observed the following issues. Most are medium/low severity, though.

Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
Severity: Medium Confidence: High
Location: python-stix/stix/extensions/test_mechanism/open_ioc_2010_test_mechanism.py:95
94 parser = mixbox.xml.get_xml_parser()
95 return_obj.ioc = etree.parse(BytesIO(d['ioc']), parser=parser)
96

---

Issue: [B410:blacklist] Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package.
Severity: Low Confidence: High
Location: python-stix/stix/test/extensions/malware/maec_4_1_malware_test.py:5
4
5 from lxml import etree
6 import mixbox.xml

---

Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
Severity: Medium Confidence: High
Location: python-stix/stix/test/extensions/malware/maec_4_1_malware_test.py:86
85 parser = mixbox.xml.get_xml_parser()
86 tree = etree.parse(BytesIO(xml), parser=parser)
87 root = tree.getroot()

---

Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
Severity: Medium Confidence: High
Location: python-stix/stix/test/extensions/malware/maec_4_1_malware_test.py:99
98 parser = mixbox.xml.get_xml_parser()
99 tree = etree.parse(StringIO(self.XML), parser=parser)
100

---

Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
Severity: Medium Confidence: High
Location: python-stix/stix/test/extensions/malware/maec_4_1_malware_test.py:108
107 parser = mixbox.xml.get_xml_parser()
108 tree = etree.parse(StringIO(self.XML), parser=parser)
109 ext = MAECInstance()

---

Issue: [B410:blacklist] Using lxml to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml with the equivalent defusedxml package.
Severity: Low Confidence: High
Location: python-stix/stix/test/extensions/test_mechanisms/openioc_test.py:6
5
6 import lxml
7
8 from mixbox import idgen

---

Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
Severity: Medium Confidence: High
Location: python-stix/stix/test/extensions/test_mechanisms/openioc_test.py:132
131 parser = mixbox.xml.get_xml_parser()
132 tree = lxml.etree.parse(BytesIO(xml), parser=parser)
133 root = tree.getroot()

---

Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
Severity: Medium Confidence: High
Location: python-stix/stix/test/extensions/test_mechanisms/openioc_test.py:144
143 parser = mixbox.xml.get_xml_parser()
144 tree = lxml.etree.parse(StringIO(self.XML), parser=parser)
145

---

Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.
Severity: Medium Confidence: High
Location: python-stix/stix/test/extensions/test_mechanisms/openioc_test.py:152
151 parser = mixbox.xml.get_xml_parser()
152 tree = lxml.etree.parse(StringIO(self.XML), parser=parser)
153 ext = OpenIOCTestMechanism()

---

Issue: [B410:blacklist] Using lxml.etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree with the equivalent defusedxml package.
Severity: Low Confidence: High
Location: python-stix/stix/test/utils/nsparser_test.py:8
7 # external
8 import lxml.etree
9 from mixbox.vendor.six import StringIO

---

Issue: [B410:blacklist] Using lxml.etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree with the equivalent defusedxml package.
Severity: Low Confidence: High
Location: python-stix/stix/utils/init.py:9
8
9 import lxml.etree
10
11 from mixbox.entities import Entity, EntityList

---

Issue: [B320:blacklist] Using lxml.etree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.fromstring with its defusedxml equivalent function.
Severity: Medium Confidence: High
Location: python-stix/stix/utils/init.py:108
107 xml = "{0}".format(text)
108 node = lxml.etree.fromstring(xml)
109 return node.text

[gtback]

Thanks, @santosomar. We'll take a look at this. If you have the time to make a pull request before we get a chance to, it would be greatly appreciated!

[StanSilas]

Hello All,
Kindly let me know what is the suggested solution to this message,"

Issue: [B320:blacklist] Using lxml.etree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.fromstring with its defusedxml equivalent function.
Thank you.

PS: I'm not using python-stix, but the message I have encountered is the same!

[xmo-odoo]

FWIW defusedxml.lxml was never intended as production code, is incomplete (it doesn't handle decompression bombs), has been deprecated and will eventually be removed: tiran/defusedxml#38

So even ignoring that this issue has fallen by the wayside, implementing this change is not a good idea long-term. Especially since lxml has protrection for at least a subset of the issues (sadly entity expansion is still enabled by default but can be disabled by configuring the parser with resolve_entities=False)