我使用AppScan扫描了Python源代码,并说该代码包含潜在的漏洞(XML注入)。例如:
import xml.dom.minidom
...
dom = xml.dom.minidom.parse(filename)
...
document = xml.dom.minidom.parseString(xmlStr)
...
我安装了defusedxml,并使用来自defusedxml.minidom和defusedxml.cElementTree的parse / parseString替换了使用标准Python xml包的所有解析:
import defusedxml.minidom
...
dom = defusedxml.minidom.parse(filename)
...
document = defusedxml.minidom.parseString(xmlStr)
...
这些漏洞已从扫描报告中消除。但是AppScan仍会通知我有关漏洞,这些漏洞从标准xml包中导入了任何函数/类。例如ElementTree中用于修改/构建xml树的类:
from xml.etree.cElementTree import ( # vulnerability here
SubElement, Element, ElementTree)
import defusedxml.cElementTree as et
...
template = et.parse(template_filename) # safe parsing
root = template.getroot()
email_list_el = root.find('emails').find('list')
for email_address in to_list:
SubElement(email_list_el , 'string').text = email_address
root.find('subject')[0].text = subject
root.find('body')[0].text = body
...
如果xml.dom.minidom仅用于编写XML,是否可以将其视为漏洞?