{"title":"XML Entity Expansion (Billion Laughs)","language":"Python","severity":"High","cwe":"CWE-776","source_lines":[9],"flow_lines":[9,11],"sink_lines":[11],"vulnerable_code":"import xml.etree.ElementTree as ET\nfrom flask import Flask, request, jsonify\n\napp = Flask(__name__)\n\n@app.route('/iot/device/config', methods=['POST'])\ndef update_device_config():\n    config_xml = request.data.decode('utf-8')\n    try:\n        root = ET.fromstring(config_xml)\n        device_id = root.find('device_id').text\n        settings = {child.tag: child.text for child in root.find('settings')}\n        return jsonify({'status': 'success', 'device': device_id, 'applied': settings})\n    except ET.ParseError:\n        return jsonify({'error': 'Invalid XML format'}), 400","explanation":"The code uses xml.etree.ElementTree to parse untrusted XML input without disabling entity expansion. This allows attackers to craft malicious XML with recursive entity definitions (Billion Laughs attack) that exponentially expand in memory, causing denial of service through resource exhaustion.","remediation":"The fix replaces the standard `xml.etree.ElementTree` module with `defusedxml.ElementTree`, which provides protection against XML entity expansion attacks (Billion Laughs), external entity attacks (XXE), and other XML-based exploits by disabling DTD processing and entity expansion by default.","secure_code":"import defusedxml.ElementTree as ET\nfrom flask import Flask, request, jsonify\n\napp = Flask(__name__)\n\n@app.route('/iot/device/config', methods=['POST'])\ndef update_device_config():\n    config_xml = request.data.decode('utf-8')\n    try:\n        root = ET.fromstring(config_xml)\n        device_id = root.find('device_id').text\n        settings = {child.tag: child.text for child in root.find('settings')}\n        return jsonify({'status': 'success', 'device': device_id, 'applied': settings})\n    except ET.ParseError:\n        return jsonify({'error': 'Invalid XML format'}), 400"}