{"title":"XXE via lxml External Entity Resolution","language":"Python","severity":"High","cwe":"CWE-611","source_lines":[5],"flow_lines":[5,6,7],"sink_lines":[7],"vulnerable_code":"from lxml import etree\nimport requests\n\ndef process_iot_device_manifest(manifest_url):\n    device_xml = requests.get(manifest_url).content\n    parser = etree.XMLParser(resolve_entities=True, no_network=False)\n    manifest_tree = etree.fromstring(device_xml, parser)\n    device_id = manifest_tree.find('.//deviceID').text\n    firmware_ver = manifest_tree.find('.//firmwareVersion').text\n    capabilities = [cap.text for cap in manifest_tree.findall('.//capability')]\n    return {'id': device_id, 'firmware': firmware_ver, 'caps': capabilities}","explanation":"The code fetches untrusted XML content from a remote URL and parses it with an XMLParser configured with resolve_entities=True and no_network=False, enabling XXE attacks. An attacker can provide a malicious manifest URL containing external entity declarations that reference local files or internal network resources, leading to information disclosure or SSRF.","remediation":"The fix secures the XMLParser by setting resolve_entities=False to prevent external entity expansion, no_network=True to block network access during parsing, and dtd_validation=False with load_dtd=False to prevent DTD loading entirely. These settings ensure that even if a malicious XML document contains external entity declarations, they will not be resolved or fetched.","secure_code":"from lxml import etree\nimport requests\n\ndef process_iot_device_manifest(manifest_url):\n    device_xml = requests.get(manifest_url).content\n    parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False)\n    manifest_tree = etree.fromstring(device_xml, parser)\n    device_id = manifest_tree.find('.//deviceID').text\n    firmware_ver = manifest_tree.find('.//firmwareVersion').text\n    capabilities = [cap.text for cap in manifest_tree.findall('.//capability')]\n    return {'id': device_id, 'firmware': firmware_ver, 'caps': capabilities}"}