# XML External Entity (XXE) Injection via lxml etree.parse()

Language: Python
Severity: High
CWE: CWE-611

## Source
4

## Flow
4-5-6-7

## Sink
7

## Vulnerable Code
```python
from lxml import etree
import io

def process_iot_device_telemetry(telemetry_xml_data):
    parser = etree.XMLParser(resolve_entities=True)
    telemetry_stream = io.BytesIO(telemetry_xml_data.encode('utf-8'))
    device_tree = etree.parse(telemetry_stream, parser)
    root_element = device_tree.getroot()
    device_id = root_element.find('.//deviceId').text
    temperature = root_element.find('.//temperature').text
    humidity = root_element.find('.//humidity').text
    return {'device': device_id, 'temp': temperature, 'humidity': humidity}
```

## Explanation

The function accepts untrusted XML telemetry data and parses it with resolve_entities=True explicitly enabled, making it vulnerable to XXE attacks. An attacker can inject malicious XML entities to read arbitrary files, perform SSRF attacks, or cause denial of service through billion laughs attacks.

## Remediation

The fix disables XML external entity processing by setting resolve_entities=False, no_network=True, dtd_validation=False, and load_dtd=False on the XMLParser. This prevents attackers from injecting malicious entity declarations that could read local files, perform SSRF, or cause denial of service through entity expansion attacks.

## Secure Code
```python
from lxml import etree
import io

def process_iot_device_telemetry(telemetry_xml_data):
    parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False)
    telemetry_stream = io.BytesIO(telemetry_xml_data.encode('utf-8'))
    device_tree = etree.parse(telemetry_stream, parser)
    root_element = device_tree.getroot()
    device_id = root_element.find('.//deviceId').text
    temperature = root_element.find('.//temperature').text
    humidity = root_element.find('.//humidity').text
    return {'device': device_id, 'temp': temperature, 'humidity': humidity}
```