{"title":"XXE via lxml External Entity Resolution","language":"Python","severity":"Critical","cwe":"CWE-611","source_lines":[5],"flow_lines":[5,7],"sink_lines":[7],"vulnerable_code":"from lxml import etree\nimport requests\n\ndef process_iot_device_config(config_xml_url):\n device_config = requests.get(config_xml_url).content\n parser = etree.XMLParser(resolve_entities=True, no_network=False)\n config_tree = etree.fromstring(device_config, parser)\n device_id = config_tree.find('.//device_id').text\n firmware_ver = config_tree.find('.//firmware').text\n telemetry_endpoint = config_tree.find('.//telemetry_url').text\n return {'id': device_id, 'firmware': firmware_ver, 'endpoint': telemetry_endpoint}","explanation":"The code fetches XML content from an untrusted URL and parses it with entity resolution explicitly enabled (resolve_entities=True) and network access allowed (no_network=False). This allows XXE attacks where malicious XML can reference external entities to read local files, perform SSRF attacks, or cause denial of service.","remediation":"The fix disables external entity resolution by setting resolve_entities=False and blocks network access during parsing with no_network=True. Additionally, DTD loading and validation are explicitly disabled (dtd_validation=False, load_dtd=False) to prevent any DTD-based attack vectors, ensuring that malicious XML cannot reference external entities or remote resources.","secure_code":"from lxml import etree\nimport requests\n\ndef process_iot_device_config(config_xml_url):\n device_config = requests.get(config_xml_url).content\n parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False)\n config_tree = etree.fromstring(device_config, parser)\n device_id = config_tree.find('.//device_id').text\n firmware_ver = config_tree.find('.//firmware').text\n telemetry_endpoint = config_tree.find('.//telemetry_url').text\n return {'id': device_id, 'firmware': firmware_ver, 'endpoint': telemetry_endpoint}"}