-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
package_managers.py uses ET.ElementTree against untrusted data #96
Labels
bug
Something isn't working
Comments
Just realized a lot of importers also use ElementTree. Imo, all of them need to be refactored, importer data is certainly not trusted data. Here's quick grep of the importers using ElementTree
|
This makes 100% sense! good catch |
@Hritik14 do you mind to check (may with quick search) if there are other repos impacted? |
@pombredanne I ran a quick test. Potentially following repos are affected:
Here's quick grep of the codebases using ElementTree
|
Here's a better grep with
Here's quick grep of the codebases using ElementTree
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The python docs mention:
This is used in line 265 here:
https://github.com/nexB/vulnerablecode/blob/369897fb947584e44581df075c6e76638737f2ca/vulnerabilities/package_managers.py#L250-L266
The docs further suggest to use defusedxml instead:
The text was updated successfully, but these errors were encountered: