xml.sax package is vulnerable to XML External Entities (XXE) injection

[morenopc]

I'd like to mention that xml.sax package is vulnerable to XML External Entities (XXE) injection.

The feature_external_ges is True by default true: Include all external general (text) entities which means vulnerable to XXE injection.

For example, a possible solution could be set to False at untangle.py#L185

from xml.sax import make_parser, SAXException
from xml.sax.handler import feature_external_ges

parser = make_parser()
parser.setFeature(feature_external_ges, False)

Please check:

• https://docs.python.org/3/library/xml.html#xml-vulnerabilities
• https://pypi.org/project/defusedxml/#python-xml-libraries
• https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE)
• https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

[stchris]

Thanks, @morenopc ! I will consider that change and maybe release a security fix soon.

[stchris]

I tried to prevent some of this in #90 but in the end I made another release (1.2.1) which switches to defusedxml instead of xml.sax.