Skip to content

Use Safe Defaults for lxml Parsers #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use Safe Defaults for lxml Parsers #25

wants to merge 1 commit into from

Conversation

pixeebot[bot]
Copy link

@pixeebot pixeebot bot commented May 17, 2025

This codemod configures safe parameter values when initializing lxml.etree.XMLParser, lxml.etree.ETCompatXMLParser, lxml.etree.XMLTreeBuilder, or lxml.etree.XMLPullParser. If parameters resolve_entities, no_network, and dtd_validation are not set to safe values, your code may be vulnerable to entity expansion attacks and external entity (XXE) attacks.

Parameters no_network and dtd_validation have safe default values of True and False, respectively, so this codemod will set each to the default safe value if your code has assigned either to an unsafe value.

Parameter resolve_entities has an unsafe default value of True. This codemod will set resolve_entities=False if set to True or omitted.

The changes look as follows:

  import lxml.etree

- parser = lxml.etree.XMLParser()
- parser = lxml.etree.XMLParser(resolve_entities=True)
- parser = lxml.etree.XMLParser(resolve_entities=True, no_network=False, dtd_validation=True)
+ parser = lxml.etree.XMLParser(resolve_entities=False)
+ parser = lxml.etree.XMLParser(resolve_entities=False)
+ parser = lxml.etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False)
More reading

🧚🤖 Powered by Pixeebot

Feedback | Community | Docs | Codemod ID: pixee:python/safe-lxml-parser-defaults

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants