tessl/pypi-defusedxml
XML bomb protection for Python stdlib modules
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-defusedxml@0.7.0index.mddocs/
DefusedXML
A comprehensive Python library that provides XML bomb protection for Python's standard library XML processing modules. DefusedXML offers secure alternatives to xml.etree.ElementTree, xml.sax, xml.dom.minidom, xml.dom.pulldom, and xml.parsers.expat by disabling dangerous features like external entity processing, DTD processing, and entity expansion that can be exploited for billion laughs attacks, quadratic blowup attacks, and external entity attacks.
Package Information
- Package Name: defusedxml
- Language: Python
- Installation:
pip install defusedxml
Core Imports
import defusedxml
from defusedxml import DefusedXmlException, DTDForbidden, EntitiesForbidden, ExternalReferenceForbidden, NotSupportedErrorDrop-in replacements for stdlib modules:
import defusedxml.ElementTree as ET # instead of xml.etree.ElementTree
import defusedxml.sax as sax # instead of xml.sax
import defusedxml.minidom as minidom # instead of xml.dom.minidom
import defusedxml.pulldom as pulldom # instead of xml.dom.pulldomDeprecated modules (avoid in new code):
import defusedxml.cElementTree as cET # DEPRECATED: use defusedxml.ElementTree instead
import defusedxml.lxml as lxml_defused # DEPRECATED: no longer supported, will be removedBasic Usage
import defusedxml.ElementTree as ET
# Parse XML safely with default security restrictions
try:
# Parse from file
tree = ET.parse('document.xml')
root = tree.getroot()
# Parse from string
xml_string = '<root><item>value</item></root>'
root = ET.fromstring(xml_string)
# Access elements normally
for item in root.findall('item'):
print(item.text)
except ET.ParseError as e:
print(f"XML parsing error: {e}")
except defusedxml.DTDForbidden as e:
print(f"DTD processing forbidden: {e}")
except defusedxml.EntitiesForbidden as e:
print(f"Entity processing forbidden: {e}")Architecture
DefusedXML provides secure wrappers around Python's standard XML processing modules:
- Core Security: Common exception hierarchy and security parameter handling
- Parser Wrappers: Secure parsers that inherit from stdlib parsers but add security checks
- Drop-in Replacements: API-compatible modules that can replace stdlib imports
- Configurable Security: Three main security parameters control different attack vectors
The security model prevents XML-based attacks by:
- Blocking DTD processing (prevents external entity attacks and DTD processing attacks)
- Restricting entity expansion (prevents billion laughs and quadratic blowup attacks)
- Forbidding external references (prevents SSRF and local file access)
Capabilities
Exception Handling
Core exception classes for handling XML security violations and library-specific errors.
class DefusedXmlException(ValueError):
"""Base exception for all defusedxml security violations"""
class DTDForbidden(DefusedXmlException):
"""Raised when DTD processing is attempted but forbidden"""
class EntitiesForbidden(DefusedXmlException):
"""Raised when entity processing is attempted but forbidden"""
class ExternalReferenceForbidden(DefusedXmlException):
"""Raised when external reference processing is attempted but forbidden"""
class NotSupportedError(DefusedXmlException):
"""Raised when an operation is not supported by the defused implementation"""ElementTree Processing
Secure ElementTree-based XML parsing with configurable security restrictions, providing drop-in replacement for xml.etree.ElementTree with comprehensive protection against XML attacks.
def parse(source, parser=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
def iterparse(source, events=None, parser=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
def fromstring(text, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
def XML(text, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
class DefusedXMLParser: ...SAX Processing
Secure SAX-based XML parsing with event-driven processing and configurable security restrictions, providing drop-in replacement for xml.sax with protection against XML attacks.
def parse(source, handler, errorHandler=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
def parseString(string, handler, errorHandler=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
def make_parser(parser_list=[]): ...
class DefusedExpatParser: ...DOM Processing
Secure DOM-based XML parsing that builds complete document object models with configurable security restrictions, providing drop-in replacements for xml.dom.minidom and xml.dom.pulldom.
# minidom functions
def parse(file, parser=None, bufsize=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
def parseString(string, parser=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
# pulldom functions
def parse(stream_or_string, parser=None, bufsize=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
def parseString(string, parser=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...XML-RPC Protection
Secure XML-RPC client and server protection with gzip bomb prevention, providing defused parsers and decompression limits for XML-RPC communications.
def monkey_patch(): ...
def unmonkey_patch(): ...
def defused_gzip_decode(data, limit=None): ...
class DefusedExpatParser: ...
class DefusedGzipDecodedResponse: ...System-wide Protection
Experimental system-wide XML protection by monkey-patching all standard library XML modules with defused alternatives.
def defuse_stdlib(): ...Security Parameters
All parsing functions accept these security configuration parameters:
forbid_dtd(bool, default: False): Forbid DTD processing to prevent DTD-based attacksforbid_entities(bool, default: True): Forbid entity expansion to prevent billion laughs attacksforbid_external(bool, default: True): Forbid external references to prevent SSRF and local file access
Common Patterns
Basic Secure Parsing
Use default security settings for maximum protection:
import defusedxml.ElementTree as ET
root = ET.fromstring(xml_string) # Uses secure defaultsCustom Security Configuration
Adjust security parameters based on trust level:
# Allow DTDs but keep other protections
root = ET.fromstring(xml_string, forbid_dtd=False)
# Allow entities for trusted content
root = ET.fromstring(trusted_xml, forbid_entities=False)Exception Handling
Handle security violations gracefully:
try:
root = ET.fromstring(untrusted_xml)
except defusedxml.DTDForbidden:
# Handle DTD processing attempt
except defusedxml.EntitiesForbidden:
# Handle entity expansion attempt
except defusedxml.ExternalReferenceForbidden:
# Handle external reference attempt