|
4 | 4 | x = "some xml" |
5 | 5 |
|
6 | 6 | # different parsing methods |
7 | | -lxml.etree.fromstring(x) # $ xmlInput=x xmlVuln='XXE' |
8 | | -lxml.etree.fromstring(text=x) # $ xmlInput=x xmlVuln='XXE' |
| 7 | +lxml.etree.fromstring(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..) |
| 8 | +lxml.etree.fromstring(text=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..) |
9 | 9 |
|
10 | | -lxml.etree.fromstringlist([x]) # $ xmlInput=List xmlVuln='XXE' |
11 | | -lxml.etree.fromstringlist(strings=[x]) # $ xmlInput=List xmlVuln='XXE' |
| 10 | +lxml.etree.fromstringlist([x]) # $ decodeFormat=XML decodeInput=List xmlVuln='XXE' decodeOutput=lxml.etree.fromstringlist(..) |
| 11 | +lxml.etree.fromstringlist(strings=[x]) # $ decodeFormat=XML decodeInput=List xmlVuln='XXE' decodeOutput=lxml.etree.fromstringlist(..) |
12 | 12 |
|
13 | | -lxml.etree.XML(x) # $ xmlInput=x xmlVuln='XXE' |
14 | | -lxml.etree.XML(text=x) # $ xmlInput=x xmlVuln='XXE' |
| 13 | +lxml.etree.XML(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.XML(..) |
| 14 | +lxml.etree.XML(text=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.XML(..) |
15 | 15 |
|
16 | | -lxml.etree.parse(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='XXE' |
17 | | -lxml.etree.parse(source=StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='XXE' |
| 16 | +lxml.etree.parse(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XXE' decodeOutput=lxml.etree.parse(..) |
| 17 | +lxml.etree.parse(source=StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XXE' decodeOutput=lxml.etree.parse(..) |
18 | 18 |
|
19 | | -lxml.etree.parseid(StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='XXE' |
20 | | -lxml.etree.parseid(source=StringIO(x)) # $ xmlInput=StringIO(..) xmlVuln='XXE' |
| 19 | +lxml.etree.parseid(StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XXE' decodeOutput=lxml.etree.parseid(..) |
| 20 | +lxml.etree.parseid(source=StringIO(x)) # $ decodeFormat=XML decodeInput=StringIO(..) xmlVuln='XXE' decodeOutput=lxml.etree.parseid(..) |
21 | 21 |
|
22 | 22 | # With default parsers (nothing changed) |
23 | 23 | parser = lxml.etree.XMLParser() |
24 | | -lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='XXE' |
| 24 | +lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..) |
25 | 25 |
|
26 | 26 | parser = lxml.etree.get_default_parser() |
27 | | -lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='XXE' |
| 27 | +lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..) |
28 | 28 |
|
29 | 29 | # manual use of feed method |
30 | 30 | parser = lxml.etree.XMLParser() |
31 | | -parser.feed(x) # $ xmlInput=x xmlVuln='XXE' |
32 | | -parser.feed(data=x) # $ xmlInput=x xmlVuln='XXE' |
33 | | -parser.close() |
| 31 | +parser.feed(x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' |
| 32 | +parser.feed(data=x) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' |
| 33 | +parser.close() # $ decodeOutput=parser.close() |
34 | 34 |
|
35 | 35 | # XXE-safe |
36 | 36 | parser = lxml.etree.XMLParser(resolve_entities=False) |
37 | | -lxml.etree.fromstring(x, parser) # $ xmlInput=x |
38 | | -lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x |
| 37 | +lxml.etree.fromstring(x, parser) # $ decodeFormat=XML decodeInput=x decodeOutput=lxml.etree.fromstring(..) |
| 38 | +lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x decodeOutput=lxml.etree.fromstring(..) |
39 | 39 |
|
40 | 40 | # XXE-vuln |
41 | 41 | parser = lxml.etree.XMLParser(resolve_entities=True) |
42 | | -lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='XXE' |
| 42 | +lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..) |
43 | 43 |
|
44 | 44 | # Billion laughs vuln (also XXE) |
45 | 45 | parser = lxml.etree.XMLParser(huge_tree=True) |
46 | | -lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' xmlVuln='XXE' |
| 46 | +lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='Billion Laughs' xmlVuln='Quadratic Blowup' xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..) |
47 | 47 |
|
48 | 48 | # Safe for both Billion laughs and XXE |
49 | 49 | parser = lxml.etree.XMLParser(resolve_entities=False, huge_tree=True) |
50 | | -lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x |
| 50 | +lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x decodeOutput=lxml.etree.fromstring(..) |
51 | 51 |
|
52 | 52 | # DTD retrival vuln (also XXE) |
53 | 53 | parser = lxml.etree.XMLParser(load_dtd=True, no_network=False) |
54 | | -lxml.etree.fromstring(x, parser=parser) # $ xmlInput=x xmlVuln='DTD retrieval' xmlVuln='XXE' |
| 54 | +lxml.etree.fromstring(x, parser=parser) # $ decodeFormat=XML decodeInput=x xmlVuln='DTD retrieval' xmlVuln='XXE' decodeOutput=lxml.etree.fromstring(..) |
0 commit comments