bandit icon indicating copy to clipboard operation
bandit copied to clipboard
verified publisher icon PyCQA

Bandit should deprecate xml.etree use

Open clavedeluna opened this issue 3 years ago • 0 comments

Describe the bug

Bandit is using xml.etree which is not recommended.

Reproduction steps


If you run bandit on itself 
`bandit -r bandit`
you'll get the following


>> Issue: [B405:blacklist] Using cElementTree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace cElementTree with the equivalent defusedxml package, or make sure defusedxml.defuse_stdlib() is called.
   Severity: Low   Confidence: High
   CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
   Location: bandit/formatters/xml.py:40:0
   More Info: https://bandit.readthedocs.io/en/1.7.4/blacklists/blacklist_imports.html#b405-import-xml-etree
39	import sys
40	from xml.etree import cElementTree as ET
41
42	from bandit.core import docs_utils

Expected behavior

Replace this with defusedxml

Bandit version

1.7.4 (Default)

Python version

3.8

Additional context

No response

clavedeluna avatar Sep 14 '22 13:09 clavedeluna