Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability to XML attacks #11

Open
ChakshuGupta13 opened this issue Oct 30, 2024 · 3 comments
Open

Vulnerability to XML attacks #11

ChakshuGupta13 opened this issue Oct 30, 2024 · 3 comments
Assignees
@PetrVys

Comments

@ChakshuGupta13
Copy link

ChakshuGupta13 commented Oct 30, 2024
edited
Loading

B410: import_lxml

Using etree to parse untrusted XML data is known to be vulnerable to XML attacks. Replace etree with the equivalent defusedxml package.
@PetrVys
Copy link
Owner

PetrVys commented Oct 30, 2024

Hello,

Thanks for the scan. I believe this is a false positive, since Tkd-Alex used lxml.etree (external library) and not xml.etree (internal Python C implementation). Lxml is a new implementation and to the best of my (limited) knowledge it is regularly updated and safe to use.

@PetrVys PetrVys self-assigned this Oct 30, 2024
@ChakshuGupta13 ChakshuGupta13 changed the title The xml.etree.ElementTree module is deprecated. Vulnerability to XML attacks Oct 31, 2024
@ChakshuGupta13
Copy link
Author

You're right about xml.etree - I confused it with lxml. But concern about lxml still stands. I have updated issue description with relevant link and reference; may that will help clarify.

@PetrVys
Copy link
Owner

PetrVys commented Oct 31, 2024

Ok, I stand corrected :-)

I'll add it to the queue - in the meantime it's definitely not a serious issue, stealing data from malformed XMP tag into another offline picture is a very unlikely scenario ^_^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PetrVys PetrVys

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ChakshuGupta13 @PetrVys