AWS logo
Amazon QDetector Library

XML External Entity High

Objects that parse or handle XML data can lead to XML External Entity (XXE) attacks when not configured properly. Improper restriction of XML external entity processing can lead to server-side request forgery and information disclosure.

Detector ID
python/xml-external-entity@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1def xml_parse_noncompliant():
2    from lxml import etree
3    # Noncompliant: resolve_entities is not disabled
4    # and is set to true by default.
5    parser = etree.XMLParser()
6    tree1 = etree.parse('resources/xxe.xml', parser)

Compliant example

1def xml_parse_compliant():
2    from lxml import etree
3    # Compliant: resolve_entities is disabled.
4    parser = etree.XMLParser(resolve_entities=False)
5    tree1 = etree.parse('resources/xxe.xml', parser)