sdk/python/Deserialization/PyXmlDom

PyXmlDom

xml.dom.minidom for DOM-style XML parsing. Built on pyexpat which by default does not resolve external entities, but custom resolvers can reintroduce XXE. defusedxml.minidom is the hardened replacement.

2 sinks

Taint flow0 sources → 2 sinks

Sinks — dangerous call

.parse()Parses XML file via minidom

.parseString()Parses XML string

Sinks

— dangerous functions taint must not reach

.parse()Sink

Signature

xml.dom.minidom.parse(file, parser=None, bufsize=None) -> Document

Parses XML file via minidom. XXE sink on custom parsers that resolve externals.

tracks:0

.parseString()Sink

Signature

xml.dom.minidom.parseString(string, parser=None) -> Document

Parses XML string. Same XXE considerations.

tracks:0

Fully-Qualified Names

FQN	Field
xml.dom	fqns[0]
xml.dom.minidom	fqns[1]

Wrong FQN → 0 findings. Verify with: change fqns to garbage → must produce 0 results.

Import

rule.py

from codepathfinder.go_rule import PyXmlDom

← PreviousPyToml

Next →PyXmlEtree