Ravenport: python-defusedxml

Subpackage Descriptions

single

=================================================== defusedxml -- defusing XML bombs and other exploits =================================================== :alt: Latest Version :alt: Supported Python versions :alt: Travis CI :alt: codecov :alt: PyPI downloads :alt: Code style: black .. "It's just XML, what could probably go wrong?" Christian Heimes Synopsis ======== The results of an attack on a vulnerable XML library can be fairly dramatic. With just a few hundred **Bytes** of XML data an attacker can occupy several **Gigabytes** of memory within **seconds**. An attacker can also keep CPUs busy for a long time with a small to medium size request. Under some circumstances it is even possible to access local files on your server, to circumvent a firewall, or to abuse services to rebound attacks to third parties. The attacks use and abuse less common features of XML and its parsers. The majority of developers are unacquainted with features such as processing instructions and entity expansions that XML inherited from SGML. At best they know about ```` from experience with HTML but they are not aware that a document type definition (DTD) can generate an HTTP request or load a file from the file system. None of the issues is new. They have been known for a long time. Billion laughs was first reported in 2003. Nevertheless some XML libraries and applications are still vulnerable and even heavy users of XML are surprised by these features. It's hard to say whom to blame for the situation. It's too short sighted to shift all blame on XML parsers and XML libraries for using insecure default settings. After all they properly implement XML specifications. Application developers must not rely that a library is always configured for security and potential harmful data by default. .. contents:: Table of Contents :depth: 2 Attack vectors ============== billion laughs / exponential entity expansion --------------------------------------------- The `Billion Laughs`_ attack -- also known as exponential entity expansion -- uses multiple levels of nested entities. The original example uses 9 levels of 10 expansions in each level to expand the string lol to a string of 3 * 10 :sup:`9` bytes, hence the name "billion laughs". The resulting string occupies 3 GB (2.79 GiB) of memory; intermediate strings require additional memory. Because most parsers don't cache the intermediate step for every expansion it is repeated over and over again. It increases the CPU load even more. An XML document of just a few hundred bytes can disrupt all services on a machine within seconds. Example XML:: ]> &d; quadratic blowup entity expansion --------------------------------- A quadratic blowup attack is similar to a `Billion Laughs`_ attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again. The attack isn't as efficient as the exponential case but it avoids triggering countermeasures of parsers against heavily nested entities. Some parsers limit the depth and breadth of a single entity but not the total amount of expanded text throughout an entire XML document.

Port variant	py37
Summary	XML bomb protection for stdlib modules (PY37)
Package version	0.6.0
Homepage	https://github.com/tiran/defusedxml
Keywords	python
Maintainer	Python Automaton
License	Not yet specified
Other variants	py38
Ravenports	Buildsheet \| History
Ravensource	Port Directory \| History
Last modified	15 AUG 2020, 23:27:53 UTC
Port created	15 AUG 2020, 23:27:53 UTC