ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S2755/python/rule.adoc

98 lines
2.8 KiB
Plaintext
Raw Normal View History

Add missing rules because of approximative section names
2020-06-30 14:41:58 +02:00
include::../description.adoc[]
== Noncompliant Code Example
https://lxml.de/[lxml] module:
* When parsing XML:
----
parser = etree.XMLParser() # Noncompliant: by default resolve_entities is set to true
tree1 = etree.parse('ressources/xxe.xml', parser)
root1 = tree1.getroot()
parser = etree.XMLParser(resolve_entities=True) # Noncompliant
tree1 = etree.parse('ressources/xxe.xml', parser)
root1 = tree1.getroot()
----
* When validating XML:
----
parser = etree.XMLParser(resolve_entities=True) # Noncompliant
treexsd = etree.parse('ressources/xxe.xsd', parser)
rootxsd = treexsd.getroot()
schema = etree.XMLSchema(rootxsd)
----
* When transforming XML:
----
ac = etree.XSLTAccessControl(read_network=True, write_network=False) # Noncompliant, read_network is set to true/network access is authorized
transform = etree.XSLT(rootxsl, access_control=ac)
----
https://docs.python.org/3/library/xml.sax.html[xml.sax] module:
----
parser = xml.sax.make_parser()
myHandler = MyHandler()
parser.setContentHandler(myHandler)
parser.setFeature(feature_external_ges, True) # Noncompliant
parser.parse("ressources/xxe.xml")
----
== Compliant Solution
https://lxml.de/[lxml] module:
Export the small grammar fixes for python rspecs
2021-02-09 09:19:37 +01:00
* When parsing XML, disable ``++resolve_entities++`` and _network access_:
Add missing rules because of approximative section names
2020-06-30 14:41:58 +02:00
----
parser = etree.XMLParser(resolve_entities=False, no_network=True) # Compliant
tree1 = etree.parse('ressources/xxe.xml', parser)
root1 = tree1.getroot()
----
* When validating XML (note that network access https://bugs.launchpad.net/lxml/+bug/1234114[cannot be completely disabled] when calling XMLSchema):
----
parser = etree.XMLParser(resolve_entities=False) # Compliant: by default no_network is set to true
treexsd = etree.parse('ressources/xxe.xsd', parser)
rootxsd = treexsd.getroot()
schema = etree.XMLSchema(rootxsd) # Compliant
----
* When transforming XML, disable access to network and file system:
----
parser = etree.XMLParser(resolve_entities=False) # Compliant
treexsl = etree.parse('ressources/xxe.xsl', parser)
rootxsl = treexsl.getroot()
ac = etree.XSLTAccessControl.DENY_ALL # Compliant
transform = etree.XSLT(rootxsl, access_control=ac) # Compliant
----
To prevent xxe attacks with https://docs.python.org/3/library/xml.sax.html[xml.sax] module (for https://docs.python.org/3/library/xml.html#xml-vulnerabilities[other security reasons] than XXE, xml.sax is not recommended):
----
parser = xml.sax.make_parser()
myHandler = MyHandler()
parser.setContentHandler(myHandler)
parser.parse("ressources/xxe.xml") # Compliant: in version 3.7.1: The SAX parser no longer processes general external entities by default
parser.setFeature(feature_external_ges, False) # Compliant
parser.parse("ressources/xxe.xml")
----
include::../see.adoc[]
Export comments and rspec-to-rspec links from jira
2021-06-02 20:44:38 +02:00
ifdef::rspecator-view[]
== Comments And Links
(visible only on this page)
include::../comments-and-links.adoc[]
endif::rspecator-view[]
Reference in New Issue Copy Permalink