Open nlevnaut opened 6 years ago
From the documentation on defusedxml it seems like it's not necessarily a complete drop-in replacement. I may need to look into it some more, though.
For now I feel that this is a fairly low priority issues since risk of attack is very low. That said if someone comes in with a pull request I won't turn them away.
Parsing XML from sources you don't control opens the door for multiple XML parser vulnerabilities. lxml prevents some, but not all, with quadratic blowup being one of them. Switching to defusedxml would fix this.
Expected Behavior
nexpose-client-python should avoid entity expansion when parsing incoming XML.
Current Behavior
nexpose-client-python may open up the user to XML parser vulnerabilities if pointed at a fake nexpose instance.
Possible Solution
Use defusedxml, which is a drop-in replacement for lxml.