Deserialization

PyXmlDom

xml.dom.minidom for DOM-style XML parsing. Built on pyexpat which by default does not resolve external entities, but custom resolvers can reintroduce XXE. defusedxml.minidom is the hardened replacement.

2 sinks
Taint flow0 sources 2 sinks
Sinks — dangerous call
.parse()
.parseString()

Sinks

.parse()Sink
#
Signature
xml.dom.minidom.parse(file, parser=None, bufsize=None) -> Document

Parses XML file via minidom. XXE sink on custom parsers that resolve externals.

tracks:0
.parseString()Sink
#
Signature
xml.dom.minidom.parseString(string, parser=None) -> Document

Parses XML string. Same XXE considerations.

tracks:0

Fully-Qualified Names

FQNField
xml.domfqns[0]
xml.dom.minidomfqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py
from codepathfinder.go_rule import PyXmlDom