René's URL Explorer Experiment


Title: Consider using defusedxml instead of lxml.etree to avoid certain XML attacks. · Issue #312 · STIXProject/python-stix · GitHub

Open Graph Title: Consider using defusedxml instead of lxml.etree to avoid certain XML attacks. · Issue #312 · STIXProject/python-stix

X Title: Consider using defusedxml instead of lxml.etree to avoid certain XML attacks. · Issue #312 · STIXProject/python-stix

Description: I ran a quick bandit scan against python-stix and observed the following issues. Most are medium/low severity, though. Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. R...

Open Graph Description: I ran a quick bandit scan against python-stix and observed the following issues. Most are medium/low severity, though. Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is ...

X Description: I ran a quick bandit scan against python-stix and observed the following issues. Most are medium/low severity, though. Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is ...

Opengraph URL: https://github.com/STIXProject/python-stix/issues/312

X: @github

direct link

Domain: patch-diff.githubusercontent.com

Hey, it has json ld scripts: 
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"Consider using defusedxml instead of  lxml.etree to avoid certain XML attacks.","articleBody":"I ran a quick bandit scan against python-stix and observed the following issues. Most are medium/low severity, though.\r\n\r\n\u003e\u003e Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.\r\n   Severity: Medium   Confidence: High\r\n   Location: python-stix/stix/extensions/test_mechanism/open_ioc_2010_test_mechanism.py:95\r\n94\t            parser = mixbox.xml.get_xml_parser()\r\n95\t            return_obj.ioc = etree.parse(BytesIO(d['ioc']), parser=parser)\r\n96\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B410:blacklist] Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package.\r\n   Severity: Low   Confidence: High\r\n   Location: python-stix/stix/test/extensions/malware/maec_4_1_malware_test.py:5\r\n4\r\n5\tfrom lxml import etree\r\n6\timport mixbox.xml\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.\r\n   Severity: Medium   Confidence: High\r\n   Location: python-stix/stix/test/extensions/malware/maec_4_1_malware_test.py:86\r\n85\t        parser = mixbox.xml.get_xml_parser()\r\n86\t        tree = etree.parse(BytesIO(xml), parser=parser)\r\n87\t        root = tree.getroot()\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.\r\n   Severity: Medium   Confidence: High\r\n   Location: python-stix/stix/test/extensions/malware/maec_4_1_malware_test.py:99\r\n98\t        parser = mixbox.xml.get_xml_parser()\r\n99\t        tree = etree.parse(StringIO(self.XML), parser=parser)\r\n100\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.\r\n   Severity: Medium   Confidence: High\r\n   Location: python-stix/stix/test/extensions/malware/maec_4_1_malware_test.py:108\r\n107\t        parser = mixbox.xml.get_xml_parser()\r\n108\t        tree = etree.parse(StringIO(self.XML), parser=parser)\r\n109\t        ext = MAECInstance()\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B410:blacklist] Using lxml to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml with the equivalent defusedxml package.\r\n   Severity: Low   Confidence: High\r\n   Location: python-stix/stix/test/extensions/test_mechanisms/openioc_test.py:6\r\n5\r\n6\timport lxml\r\n7\r\n8\tfrom mixbox import idgen\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.\r\n   Severity: Medium   Confidence: High\r\n   Location: python-stix/stix/test/extensions/test_mechanisms/openioc_test.py:132\r\n131\t        parser = mixbox.xml.get_xml_parser()\r\n132\t        tree = lxml.etree.parse(BytesIO(xml), parser=parser)\r\n133\t        root = tree.getroot()\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.\r\n   Severity: Medium   Confidence: High\r\n   Location: python-stix/stix/test/extensions/test_mechanisms/openioc_test.py:144\r\n143\t        parser = mixbox.xml.get_xml_parser()\r\n144\t        tree = lxml.etree.parse(StringIO(self.XML), parser=parser)\r\n145\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.parse with its defusedxml equivalent function.\r\n   Severity: Medium   Confidence: High\r\n   Location: python-stix/stix/test/extensions/test_mechanisms/openioc_test.py:152\r\n151\t        parser = mixbox.xml.get_xml_parser()\r\n152\t        tree = lxml.etree.parse(StringIO(self.XML), parser=parser)\r\n153\t        ext = OpenIOCTestMechanism()\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B410:blacklist] Using lxml.etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree with the equivalent defusedxml package.\r\n   Severity: Low   Confidence: High\r\n   Location: python-stix/stix/test/utils/nsparser_test.py:8\r\n7\t# external\r\n8\timport lxml.etree\r\n9\tfrom mixbox.vendor.six import StringIO\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B410:blacklist] Using lxml.etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree with the equivalent defusedxml package.\r\n   Severity: Low   Confidence: High\r\n   Location: python-stix/stix/utils/__init__.py:9\r\n8\r\n9\timport lxml.etree\r\n10\r\n11\tfrom mixbox.entities import Entity, EntityList\r\n\r\n--------------------------------------------------\r\n\u003e\u003e Issue: [B320:blacklist] Using lxml.etree.fromstring to parse untrusted XML data is known to be vulnerable to XML attacks. Replace lxml.etree.fromstring with its defusedxml equivalent function.\r\n   Severity: Medium   Confidence: High\r\n   Location: python-stix/stix/utils/__init__.py:108\r\n107\t    xml = \"\u003ce\u003e{0}\u003c/e\u003e\".format(text)\r\n108\t    node = lxml.etree.fromstring(xml)\r\n109\t    return node.text","author":{"url":"https://github.com/santosomar","@type":"Person","name":"santosomar"},"datePublished":"2016-11-23T04:27:28.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":3},"url":"https://github.com/312/python-stix/issues/312"}
route-pattern/_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format)
route-controllervoltron_issues_fragments
route-actionissue_layout
fetch-noncev2:9c8578cc-fe8a-f9e6-cca0-2c8a289229da
current-catalog-service-hash81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114
request-idDC54:51C6B:218A474:2CF578D:697060BB
html-safe-nonce278295a103313cfa372e869dc29dc12007100e7c70ba048b84237dffef05bda2
visitor-payloadeyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEQzU0OjUxQzZCOjIxOEE0NzQ6MkNGNTc4RDo2OTcwNjBCQiIsInZpc2l0b3JfaWQiOiI2MTA3MjAyODYyNTQ4Mjc5NDgzIiwicmVnaW9uX2VkZ2UiOiJpYWQiLCJyZWdpb25fcmVuZGVyIjoiaWFkIn0=
visitor-hmac1e7a767c39143e8af36c4cf0b5f98cf02edf00a9400184854899b328a3f0310d
hovercard-subject-tagissue:191186652
github-keyboard-shortcutsrepository,issues,copilot
google-site-verificationApib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I
octolytics-urlhttps://collector.github.com/github/collect
analytics-location///voltron/issues_fragments/issue_layout
fb:app_id1401488693436528
apple-itunes-appapp-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/STIXProject/python-stix/312/issue_layout
twitter:imagehttps://opengraph.githubassets.com/f6ffca98df96dd4951b66a8836b10cec77de588df7c458ea2de438098d2d7c1e/STIXProject/python-stix/issues/312
twitter:cardsummary_large_image
og:imagehttps://opengraph.githubassets.com/f6ffca98df96dd4951b66a8836b10cec77de588df7c458ea2de438098d2d7c1e/STIXProject/python-stix/issues/312
og:image:altI ran a quick bandit scan against python-stix and observed the following issues. Most are medium/low severity, though. Issue: [B320:blacklist] Using lxml.etree.parse to parse untrusted XML data is ...
og:image:width1200
og:image:height600
og:site_nameGitHub
og:typeobject
og:author:usernamesantosomar
hostnamegithub.com
expected-hostnamegithub.com
None9920a62ba22d06470388e2904804fb7e5ec51c9e35f81784e9191394c74b2bd2
turbo-cache-controlno-preview
go-importgithub.com/STIXProject/python-stix git https://github.com/STIXProject/python-stix.git
octolytics-dimension-user_id2774079
octolytics-dimension-user_loginSTIXProject
octolytics-dimension-repository_id8163746
octolytics-dimension-repository_nwoSTIXProject/python-stix
octolytics-dimension-repository_publictrue
octolytics-dimension-repository_is_forkfalse
octolytics-dimension-repository_network_root_id8163746
octolytics-dimension-repository_network_root_nwoSTIXProject/python-stix
turbo-body-classeslogged-out env-production page-responsive
disable-turbofalse
browser-stats-urlhttps://api.github.com/_private/browser/stats
browser-errors-urlhttps://api.github.com/_private/browser/errors
release7d6181066430cc06553c8396ca201e194ae33cb9
ui-targetfull
theme-color#1e2327
color-schemelight dark

Links:

Skip to contenthttps://patch-diff.githubusercontent.com/STIXProject/python-stix/issues/312#start-of-content
https://patch-diff.githubusercontent.com/
Sign in https://patch-diff.githubusercontent.com/login?return_to=https%3A%2F%2Fgithub.com%2FSTIXProject%2Fpython-stix%2Fissues%2F312
GitHub CopilotWrite better code with AIhttps://github.com/features/copilot
GitHub SparkBuild and deploy intelligent appshttps://github.com/features/spark
GitHub ModelsManage and compare promptshttps://github.com/features/models
MCP RegistryNewIntegrate external toolshttps://github.com/mcp
ActionsAutomate any workflowhttps://github.com/features/actions
CodespacesInstant dev environmentshttps://github.com/features/codespaces
IssuesPlan and track workhttps://github.com/features/issues
Code ReviewManage code changeshttps://github.com/features/code-review
GitHub Advanced SecurityFind and fix vulnerabilitieshttps://github.com/security/advanced-security
Code securitySecure your code as you buildhttps://github.com/security/advanced-security/code-security
Secret protectionStop leaks before they starthttps://github.com/security/advanced-security/secret-protection
Why GitHubhttps://github.com/why-github
Documentationhttps://docs.github.com
Bloghttps://github.blog
Changeloghttps://github.blog/changelog
Marketplacehttps://github.com/marketplace
View all featureshttps://github.com/features
Enterpriseshttps://github.com/enterprise
Small and medium teamshttps://github.com/team
Startupshttps://github.com/enterprise/startups
Nonprofitshttps://github.com/solutions/industry/nonprofits
App Modernizationhttps://github.com/solutions/use-case/app-modernization
DevSecOpshttps://github.com/solutions/use-case/devsecops
DevOpshttps://github.com/solutions/use-case/devops
CI/CDhttps://github.com/solutions/use-case/ci-cd
View all use caseshttps://github.com/solutions/use-case
Healthcarehttps://github.com/solutions/industry/healthcare
Financial serviceshttps://github.com/solutions/industry/financial-services
Manufacturinghttps://github.com/solutions/industry/manufacturing
Governmenthttps://github.com/solutions/industry/government
View all industrieshttps://github.com/solutions/industry
View all solutionshttps://github.com/solutions
AIhttps://github.com/resources/articles?topic=ai
Software Developmenthttps://github.com/resources/articles?topic=software-development
DevOpshttps://github.com/resources/articles?topic=devops
Securityhttps://github.com/resources/articles?topic=security
View all topicshttps://github.com/resources/articles
Customer storieshttps://github.com/customer-stories
Events & webinarshttps://github.com/resources/events
Ebooks & reportshttps://github.com/resources/whitepapers
Business insightshttps://github.com/solutions/executive-insights
GitHub Skillshttps://skills.github.com
Documentationhttps://docs.github.com
Customer supporthttps://support.github.com
Community forumhttps://github.com/orgs/community/discussions
Trust centerhttps://github.com/trust-center
Partnershttps://github.com/partners
GitHub SponsorsFund open source developershttps://github.com/sponsors
Security Labhttps://securitylab.github.com
Maintainer Communityhttps://maintainers.github.com
Acceleratorhttps://github.com/accelerator
Archive Programhttps://archiveprogram.github.com
Topicshttps://github.com/topics
Trendinghttps://github.com/trending
Collectionshttps://github.com/collections
Enterprise platformAI-powered developer platformhttps://github.com/enterprise
GitHub Advanced SecurityEnterprise-grade security featureshttps://github.com/security/advanced-security
Copilot for BusinessEnterprise-grade AI featureshttps://github.com/features/copilot/copilot-business
Premium SupportEnterprise-grade 24/7 supporthttps://github.com/premium-support
Pricinghttps://github.com/pricing
Search syntax tipshttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
documentationhttps://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax
Sign in https://patch-diff.githubusercontent.com/login?return_to=https%3A%2F%2Fgithub.com%2FSTIXProject%2Fpython-stix%2Fissues%2F312
Sign up https://patch-diff.githubusercontent.com/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E%2Fvoltron%2Fissues_fragments%2Fissue_layout&source=header-repo&source_repo=STIXProject%2Fpython-stix
Reloadhttps://patch-diff.githubusercontent.com/STIXProject/python-stix/issues/312
Reloadhttps://patch-diff.githubusercontent.com/STIXProject/python-stix/issues/312
Reloadhttps://patch-diff.githubusercontent.com/STIXProject/python-stix/issues/312
STIXProject https://patch-diff.githubusercontent.com/STIXProject
python-stixhttps://patch-diff.githubusercontent.com/STIXProject/python-stix
Notifications https://patch-diff.githubusercontent.com/login?return_to=%2FSTIXProject%2Fpython-stix
Fork 89 https://patch-diff.githubusercontent.com/login?return_to=%2FSTIXProject%2Fpython-stix
Star 246 https://patch-diff.githubusercontent.com/login?return_to=%2FSTIXProject%2Fpython-stix
Code https://patch-diff.githubusercontent.com/STIXProject/python-stix
Issues 26 https://patch-diff.githubusercontent.com/STIXProject/python-stix/issues
Pull requests 0 https://patch-diff.githubusercontent.com/STIXProject/python-stix/pulls
Actions https://patch-diff.githubusercontent.com/STIXProject/python-stix/actions
Projects 0 https://patch-diff.githubusercontent.com/STIXProject/python-stix/projects
Wiki https://patch-diff.githubusercontent.com/STIXProject/python-stix/wiki
Security Uh oh! There was an error while loading. Please reload this page. https://patch-diff.githubusercontent.com/STIXProject/python-stix/security
Please reload this pagehttps://patch-diff.githubusercontent.com/STIXProject/python-stix/issues/312
Insights https://patch-diff.githubusercontent.com/STIXProject/python-stix/pulse
Code https://patch-diff.githubusercontent.com/STIXProject/python-stix
Issues https://patch-diff.githubusercontent.com/STIXProject/python-stix/issues
Pull requests https://patch-diff.githubusercontent.com/STIXProject/python-stix/pulls
Actions https://patch-diff.githubusercontent.com/STIXProject/python-stix/actions
Projects https://patch-diff.githubusercontent.com/STIXProject/python-stix/projects
Wiki https://patch-diff.githubusercontent.com/STIXProject/python-stix/wiki
Security https://patch-diff.githubusercontent.com/STIXProject/python-stix/security
Insights https://patch-diff.githubusercontent.com/STIXProject/python-stix/pulse
New issuehttps://patch-diff.githubusercontent.com/login?return_to=https://github.com/STIXProject/python-stix/issues/312
New issuehttps://patch-diff.githubusercontent.com/login?return_to=https://github.com/STIXProject/python-stix/issues/312
Consider using defusedxml instead of lxml.etree to avoid certain XML attacks.https://patch-diff.githubusercontent.com/STIXProject/python-stix/issues/312#top
https://github.com/santosomar
https://github.com/santosomar
santosomarhttps://github.com/santosomar
on Nov 23, 2016https://github.com/STIXProject/python-stix/issues/312#issue-191186652
https://github.com
Termshttps://docs.github.com/site-policy/github-terms/github-terms-of-service
Privacyhttps://docs.github.com/site-policy/privacy-policies/github-privacy-statement
Securityhttps://github.com/security
Statushttps://www.githubstatus.com/
Communityhttps://github.community/
Docshttps://docs.github.com/
Contacthttps://support.github.com?tags=dotcom-footer

Viewport: width=device-width

URLs of crawlers that visited me.