# XXE via lxml External Entity Resolution

Language: Python
Severity: Critical
CWE: CWE-611

## Source
5

## Flow
5-7

## Sink
7

## Vulnerable Code
```python
from lxml import etree
import requests

def process_iot_device_config(config_xml_url):
    device_config = requests.get(config_xml_url).content
    parser = etree.XMLParser(resolve_entities=True, no_network=False)
    config_tree = etree.fromstring(device_config, parser)
    device_id = config_tree.find('.//device_id').text
    firmware_ver = config_tree.find('.//firmware').text
    telemetry_endpoint = config_tree.find('.//telemetry_url').text
    return {'id': device_id, 'firmware': firmware_ver, 'endpoint': telemetry_endpoint}
```

## Explanation

The code fetches XML content from an untrusted URL and parses it with entity resolution explicitly enabled (resolve_entities=True) and network access allowed (no_network=False). This allows XXE attacks where malicious XML can reference external entities to read local files, perform SSRF attacks, or cause denial of service.

## Remediation

The fix disables external entity resolution by setting resolve_entities=False and blocks network access during parsing with no_network=True. Additionally, DTD loading and validation are explicitly disabled (dtd_validation=False, load_dtd=False) to prevent any DTD-based attack vectors, ensuring that malicious XML cannot reference external entities or remote resources.

## Secure Code
```python
from lxml import etree
import requests

def process_iot_device_config(config_xml_url):
    device_config = requests.get(config_xml_url).content
    parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False)
    config_tree = etree.fromstring(device_config, parser)
    device_id = config_tree.find('.//device_id').text
    firmware_ver = config_tree.find('.//firmware').text
    telemetry_endpoint = config_tree.find('.//telemetry_url').text
    return {'id': device_id, 'firmware': firmware_ver, 'endpoint': telemetry_endpoint}
```