rspec/rules/S2755/python/rule.adoc

== Why is this an issue?

include::../description.adoc[]

=== Noncompliant code example

https://lxml.de/[lxml] module:

* When parsing XML:

[source,python]
----
parser = etree.XMLParser() # Noncompliant: by default resolve_entities is set to true
tree1 = etree.parse('ressources/xxe.xml', parser) 
root1 = tree1.getroot()

parser = etree.XMLParser(resolve_entities=True) # Noncompliant
tree1 = etree.parse('ressources/xxe.xml', parser) 
root1 = tree1.getroot()
----

* When validating XML:

[source,python]
----
parser = etree.XMLParser(resolve_entities=True) # Noncompliant
treexsd = etree.parse('ressources/xxe.xsd', parser) 
rootxsd = treexsd.getroot()
schema = etree.XMLSchema(rootxsd) 
----

* When transforming XML:

[source,python]
----
ac = etree.XSLTAccessControl(read_network=True, write_network=False)  # Noncompliant, read_network is set to true/network access is authorized
transform = etree.XSLT(rootxsl, access_control=ac) 
----

https://docs.python.org/3/library/xml.sax.html[xml.sax] module:

[source,python]
----
parser = xml.sax.make_parser()
myHandler = MyHandler()
parser.setContentHandler(myHandler)

parser.setFeature(feature_external_ges, True) # Noncompliant
parser.parse("ressources/xxe.xml")
----

=== Compliant solution

https://lxml.de/[lxml] module:

* When parsing XML, disable ``++resolve_entities++`` and _network access_:

[source,python]
----
parser = etree.XMLParser(resolve_entities=False, no_network=True) # Compliant 
tree1 = etree.parse('ressources/xxe.xml', parser)
root1 = tree1.getroot()
----

* When validating XML (note that network access https://bugs.launchpad.net/lxml/+bug/1234114[cannot be completely disabled] when calling XMLSchema):

[source,python]
----
parser = etree.XMLParser(resolve_entities=False) # Compliant: by default no_network is set to true
treexsd = etree.parse('ressources/xxe.xsd', parser) 
rootxsd = treexsd.getroot()
schema = etree.XMLSchema(rootxsd) # Compliant
----

* When transforming XML, disable access to network and file system:

[source,python]
----
parser = etree.XMLParser(resolve_entities=False) # Compliant
treexsl = etree.parse('ressources/xxe.xsl', parser)  
rootxsl = treexsl.getroot()

ac = etree.XSLTAccessControl.DENY_ALL  # Compliant
transform = etree.XSLT(rootxsl, access_control=ac) # Compliant
----

To prevent xxe attacks with https://docs.python.org/3/library/xml.sax.html[xml.sax] module (for https://docs.python.org/3/library/xml.html#xml-vulnerabilities[other security reasons] than XXE, xml.sax is not recommended):

[source,python]
----
parser = xml.sax.make_parser()
myHandler = MyHandler()
parser.setContentHandler(myHandler)
parser.parse("ressources/xxe.xml") # Compliant: in version 3.7.1: The SAX parser no longer processes general external entities by default

parser.setFeature(feature_external_ges, False) # Compliant
parser.parse("ressources/xxe.xml")
----

include::../see.adoc[]

ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

include::../message.adoc[]

include::highlighting.adoc[]

'''
== Comments And Links
(visible only on this page)

include::../comments-and-links.adoc[]
endif::env-github,rspecator-view[]
migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`== Why is this an issue?`

Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`include::../description.adoc[]`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Noncompliant code example`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00
			`https://lxml.de/[lxml] module:`

			`* When parsing XML:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`parser = etree.XMLParser() # Noncompliant: by default resolve_entities is set to true`
			`tree1 = etree.parse('ressources/xxe.xml', parser)`
			`root1 = tree1.getroot()`

			`parser = etree.XMLParser(resolve_entities=True) # Noncompliant`
			`tree1 = etree.parse('ressources/xxe.xml', parser)`
			`root1 = tree1.getroot()`
			`----`

			`* When validating XML:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`parser = etree.XMLParser(resolve_entities=True) # Noncompliant`
			`treexsd = etree.parse('ressources/xxe.xsd', parser)`
			`rootxsd = treexsd.getroot()`
			`schema = etree.XMLSchema(rootxsd)`
			`----`

			`* When transforming XML:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`ac = etree.XSLTAccessControl(read_network=True, write_network=False) # Noncompliant, read_network is set to true/network access is authorized`
			`transform = etree.XSLT(rootxsl, access_control=ac)`
			`----`

			`https://docs.python.org/3/library/xml.sax.html[xml.sax] module:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`parser = xml.sax.make_parser()`
			`myHandler = MyHandler()`
			`parser.setContentHandler(myHandler)`

			`parser.setFeature(feature_external_ges, True) # Noncompliant`
			`parser.parse("ressources/xxe.xml")`
			`----`

migrate rule descriptions to new education format 2023-05-03 11:06:20 +02:00			`=== Compliant solution`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00
			`https://lxml.de/[lxml] module:`

Export the small grammar fixes for python rspecs 2021-02-09 09:19:37 +01:00			* When parsing XML, disable ``++resolve_entities++`` and _network access_:
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00
RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`parser = etree.XMLParser(resolve_entities=False, no_network=True) # Compliant`
			`tree1 = etree.parse('ressources/xxe.xml', parser)`
			`root1 = tree1.getroot()`
			`----`

			`* When validating XML (note that network access https://bugs.launchpad.net/lxml/+bug/1234114[cannot be completely disabled] when calling XMLSchema):`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`parser = etree.XMLParser(resolve_entities=False) # Compliant: by default no_network is set to true`
			`treexsd = etree.parse('ressources/xxe.xsd', parser)`
			`rootxsd = treexsd.getroot()`
			`schema = etree.XMLSchema(rootxsd) # Compliant`
			`----`

			`* When transforming XML, disable access to network and file system:`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`parser = etree.XMLParser(resolve_entities=False) # Compliant`
			`treexsl = etree.parse('ressources/xxe.xsl', parser)`
			`rootxsl = treexsl.getroot()`

			`ac = etree.XSLTAccessControl.DENY_ALL # Compliant`
			`transform = etree.XSLT(rootxsl, access_control=ac) # Compliant`
			`----`

			`To prevent xxe attacks with https://docs.python.org/3/library/xml.sax.html[xml.sax] module (for https://docs.python.org/3/library/xml.html#xml-vulnerabilities[other security reasons] than XXE, xml.sax is not recommended):`

RULEAPI-661: Add syntax coloring 2022-02-04 17:28:24 +01:00			`[source,python]`
Add missing rules because of approximative section names 2020-06-30 14:41:58 +02:00			`----`
			`parser = xml.sax.make_parser()`
			`myHandler = MyHandler()`
			`parser.setContentHandler(myHandler)`
			`parser.parse("ressources/xxe.xml") # Compliant: in version 3.7.1: The SAX parser no longer processes general external entities by default`

			`parser.setFeature(feature_external_ges, False) # Compliant`
			`parser.parse("ressources/xxe.xml")`
			`----`

			`include::../see.adoc[]`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`ifdef::env-github,rspecator-view[]`
RULEAPI-666: Migrate the "List of parameters", "Highlighting" and "Message" fields from jira RSPEC (#346) 2021-09-20 15:38:42 +02:00
			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

			`include::../message.adoc[]`

			`include::highlighting.adoc[]`

RULEAPI-576: add a horizontal rule between rule description and comments 2021-06-08 15:52:13 +02:00			`'''`
Export comments and rspec-to-rspec links from jira 2021-06-02 20:44:38 +02:00			`== Comments And Links`
			`(visible only on this page)`

			`include::../comments-and-links.adoc[]`
Fix the comment display: rule-id, timestamp, GH visibility, link direction 2021-06-03 09:05:38 +02:00			`endif::env-github,rspecator-view[]`