mcp-server-semgrep/semgrep-rules/python/lang/security/use-defused-xml-parse.yaml

MCP Server for Semgrep Integration - static code analysis with AI

rules:
- id: use-defused-xml-parse
  metadata:
    owasp:
    - A04:2017 - XML External Entities (XXE)
    - A05:2021 - Security Misconfiguration
    cwe:
    - 'CWE-611: Improper Restriction of XML External Entity Reference'
    references:
    - https://docs.python.org/3/library/xml.html
    - https://github.com/tiran/defusedxml
    - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
    category: security
    technology:
    - python
    cwe2022-top25: true
    cwe2021-top25: true
    subcategory:
    - vuln
    likelihood: LOW
    impact: MEDIUM
    confidence: MEDIUM
  message: >-
    The native Python `xml` library is vulnerable to XML External Entity (XXE) attacks. 
    These attacks can leak confidential data and "XML bombs" can cause denial of service.
    Do not use this library to parse untrusted input. Instead 
    the Python documentation recommends using `defusedxml`.
  languages: [python]
  severity: ERROR
  patterns:
    - pattern: xml.etree.ElementTree.parse($...ARGS)
    - pattern-not: xml.etree.ElementTree.parse("...")
  fix: defusedxml.etree.ElementTree.parse($...ARGS)