search

rapid7 / nexpose-client-python

DEPRECATED : Rapid7 Nexpose API client library written in Python
https://www.rapid7.com/
BSD 3-Clause "New" or "Revised" License
25 stars 20 forks source link

lxml vulnerable to quadratic blowup #44

Open nlevnaut opened 6 years ago

nlevnaut commented 6 years ago

Parsing XML from sources you don't control opens the door for multiple XML parser vulnerabilities. lxml prevents some, but not all, with quadratic blowup being one of them. Switching to defusedxml would fix this.

Expected Behavior

nexpose-client-python should avoid entity expansion when parsing incoming XML.

Current Behavior

nexpose-client-python may open up the user to XML parser vulnerabilities if pointed at a fake nexpose instance.

Possible Solution

Use defusedxml, which is a drop-in replacement for lxml.

gschneider-r7 commented 6 years ago

From the documentation on defusedxml it seems like it's not necessarily a complete drop-in replacement. I may need to look into it some more, though.

For now I feel that this is a fairly low priority issues since risk of attack is very low. That said if someone comes in with a pull request I won't turn them away.