bandit icon indicating copy to clipboard operation
bandit copied to clipboard
verified publisher icon PyCQA

B314 since Python 3.6 is not valid

Open CyberKatze opened this issue 2 years ago • 5 comments

Describe the bug

I checked the python module xml processing and the vulns that bandit report is no longer there. maybe you should remove it:

  • xml.etree.ElementTree.parse
  • xml.etree.ElementTree.iterparse
  • xml.etree.ElementTree.fromstring
  • xml.etree.ElementTree.XMLParser https://docs.python.org/3/library/xml.html#xml-vulnerabilities I also checked billion laughs and quadratic blowup no longer there even the doc above said so.

Reproduction steps

  1. Using xml.etree
import xml.etree.ElementTree as ET
import xml as xml

tree = ET.parse('country_data.xml')
print(tree.findtext('body'))

output:

>> Issue: [B314:blacklist] Using xml.etree.ElementTree.parse to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.etree.ElementTree.parse with its defusedxml equivalent function or make sure defusedxml.defuse_stdlib() is called
   Severity: Medium   Confidence: High
   CWE: CWE-20 (https://cwe.mitre.org/data/definitions/20.html)
   More Info: https://bandit.readthedocs.io/en/1.7.5/blacklists/blacklist_calls.html#b313-b320-xml-bad-elementtree
   Location: main.py:5:7
4
5       tree = ET.parse('country_data.xml')
6       print(tree.findtext('body'))

Expected behavior

Maybe remove [B314] or explain your concern there.

Bandit version

1.7.5 (Default)

Python version

3.11

Additional context

No response

CyberKatze avatar Dec 04 '23 09:12 CyberKatze

So after some digging on this topic. Seems Python has a vendored version of expat embedded. This is the default version (at least for macOS and Windows). However, it does seem permitted to use an external system level version. So maybe there is still a window of vulnerability there? In any case, the latest minor versions of Python 3.8 to 3.12 all vendor expat 2.5.0 now. So it might make sense to deprecate or remove this check.

ericwb avatar Dec 09 '23 06:12 ericwb

To see the vendored version of expat embedded in Python you can browse to: https://github.com/python/cpython/blob/3.8/Modules/expat/expat.h#L1056C20-L1056C20

At the bottom of this header file you'll find the expat major, minor, and micro version.

ericwb avatar Dec 09 '23 06:12 ericwb

However, I also found that the oldest version of Python 3.8, 3.8.0, which Bandit officially still supports does include an older, vulnerable version of expat 2.2.8: https://github.com/python/cpython/blob/v3.8.0/Modules/expat/expat.h#L1016

The same can be found for Python 3.9.0: https://github.com/python/cpython/blob/v3.9.0/Modules/expat/expat.h#L1016

Python 3.10.0 is the first minor version to have the fixed expat 2.4.1: https://github.com/python/cpython/blob/v3.10.0/Modules/expat/expat.h#L1042

As such, we should leave this plugin check for xml.etree.ElementTree at least until 3.9.0 is end-of-life.

ericwb avatar Dec 09 '23 06:12 ericwb

Expat 2.4.1 wasn't added to Python 3.8 till 3.8.12. Similar for 3.9, not until 3.9.7.

ericwb avatar Dec 09 '23 18:12 ericwb

I also checked the latest patch for python 3.6 (3.6.15) and 3.7 (3.7.17), both are safe. only from (3.5 <=) latest patch didn't include the fix. I couldn't find their repo branches that I can refer to, but I just tested by running all possible 5 possible xml vulns. might be useful to know.

CyberKatze avatar Dec 11 '23 09:12 CyberKatze