SAST MRE corresponding to #434275(python/xml/rule-expatreader)
SAST Vulnerable MRE Addition or Enhancement
Background Information
gitlab-org/gitlab#434275 is aimed towards identifying possible XXE instances due to the usage of xml.sax library.
Changes Summary
This MRE adds a simple python application using the insecure reader and xml exploits for testing vulnerable library
Checklist
-
the MRE's dependencies are explicit and ideally pinned (e.g. using pipenvin the case of Python) -
the MRE is dockerised and trivially runnable -
the MRE's directory in the sast-rules-appsgroup (e.g.python-web-apps/django/security/injection/sql) and the rule's directory in thesast-rulesrepository are equivalent ( e.g.python/django/security/injection/sql) -
the MRE contains a README.md which explains how to: -
run the application -
shows the normal execution path without exploitation -
shows the exploited execution path
-
Rule Evaluation
Test
Scan
semgrep scan -q --config rule-expatreader.yml rule-expatreader.py
┌──────────────────┐
│ 10 Code Findings │
└──────────────────┘
rule-expatreader.py
❯❱ python_xml_rule-expatreader
The application was found using the `xml.sax.expatreader` package for processing XML.
Python's default XML processors suffer from various XML parsing vulnerabilities and care
must be taken when handling XML data. Additionally, depending on the version of Python,
more critical vulnerabilities such as eXternal XML Entity injection maybe exploitable.
The `xml.sax` package suffers from the following security risks as of Python 3.7.1: *
Billion laughs / exponential entity expansion - May allow an adversary to cause a
Denial of Service (DoS) against the application parsing arbitrary XML. * Quadratic blowup
entity expansion - Similar to above, but requires a larger input to cause the Denial of
Service.
To remediate the above issues, consider using the
[defusedxml](https://pypi.org/project/defusedxml/) library when processing untrusted XML.
Example parsing an XML document using defusedxml: ``` from defusedxml.ElementTree import
parse
# Parse the inventory.xml file et = parse('inventory.xml') # Get the root element root =
et.getroot() # Work with the root element # ... ```
For more information on the various XML parsers and their vulnerabilities please see: -
https://docs.python.org/3/library/xml.html#xml-vulnerabilities
For more information on XML security see OWASP's guide: - https://cheatsheetseries.owasp.
org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#python
28┆ parser = xml.sax.make_parser()
⋮┆----------------------------------------
29┆ parser.setFeature(xml.sax.handler.feature_external_ges, True)
⋮┆----------------------------------------
30┆ parser.setContentHandler(handler)
⋮┆----------------------------------------
33┆ parser.parse(inp)
⋮┆----------------------------------------
38┆ parser = xml.sax.make_parser().parse(sys.argv[1])
⋮┆----------------------------------------
49┆ res = xml.sax.parseString(content, handler)
⋮┆----------------------------------------
91┆ parser = xml.sax.expatreader.create_parser()
⋮┆----------------------------------------
92┆ parser.setFeature(xml.sax.handler.feature_external_ges, True)
⋮┆----------------------------------------
93┆ parser.setContentHandler(XMLHandler())
⋮┆----------------------------------------
95┆ parser.parse(sys.argv[1])Edited by Vadym Riznyk