sendgrid-python-dmarc-parser icon indicating copy to clipboard operation
sendgrid-python-dmarc-parser copied to clipboard
verified publisher icon thinkingserious

Numerous security issues.

Open d1b opened this issue 6 years ago • 0 comments

Hi, there are several security issues in the code found in this repository.

The first is that https://github.com/thinkingserious/sendgrid-python-dmarc-parser/blob/9cfac0992f75031e45f7eaea45710e2182742694/dmarc_parser/unzip.py#L28 is vulnerable to path traversal. It needs to filter out path traversal characters (e.g. take the basename of a given file) or generate its own filename(s) or consume the xml without writing it to the file system to fix this issue.

Another issue that seemingly exists is
XXE(https://en.wikipedia.org/wiki/XML_external_entity_attack) when parsing dmarc xml reports. This appears to be in https://github.com/thinkingserious/sendgrid-python-dmarc-parser/blob/master/dmarc_parser/parse_dmarc.py#L26 and can be fixed by making use of https://pypi.org/project/defusedxml/ .

d1b avatar Apr 21 '19 03:04 d1b