tessl/pypi-defusedxml
XML bomb protection for Python stdlib modules
- Workspace
- tessl
- Visibility
- Public
- Created
- Last updated
- Describes
'%3e%3cpath%20d='M3.389%209.069c0-.009.043-.033.029-.044L.029%207.77l3.287-1.197L6.574%207.77l.106.083.005%204-3.297%201.185V9.068ZM13.582%209.32V2.74l3.405%201.238v4.104L13.583%209.32ZM10.253%2014.66l-3.476%201.268v-4.027l3.476-1.313v4.072ZM10.253%2010.558l-3.476%201.239V7.784l3.476-1.268v4.042ZM10.253%2014.719v3.968L6.777%2020v-3.998l3.476-1.283ZM17%208.139v4.042l-3.418%201.239V9.378L17%208.138ZM3.3%2017.168%200%2015.943v-4.027l3.3%201.224v4.028ZM6.69%2011.916v4.027l-3.302%201.225v-4.072l3.301-1.18ZM6.69%203.743v4.012l-3.33-1.21V2.564l3.33%201.18Z'/%3e%3cpath%20d='M3.3%2013.066%200%2011.842V7.844l3.3%201.224v3.998ZM13.524%209.334l-.175.088.175-.014v4.027l-3.152%201.183-.06-.032v-3.983l1.986-.767-.111.006-1.876.657V6.531l3.213-1.224v4.027Zm-.263.133c-.065.008-.198.023-.233.088.065-.008.198-.023.233-.088Zm-.321.118c-.065.008-.198.023-.233.088.065-.009.198-.023.233-.088Zm-.321.118c-.066.008-.199.023-.234.088.065-.008.199-.023.234-.088ZM13.524%201.266v3.968l-3.213%201.195V2.46l3.213-1.194ZM10.253%202.475v3.968L6.777%207.726V3.743l3.476-1.268ZM8.2%204.458c-.304.064-.627.5-.708.79-.27.963.636%201.081%201.091.364.277-.437.354-1.308-.383-1.154ZM13.524%2013.51v3.983l-3.17%201.177c-.011%200-.043-.067-.043-.07v-3.895l3.213-1.195Zm-.884%201.63c-.495.085-1.068%201.015-.676%201.435.483.517%201.502-.636%201.147-1.246-.098-.169-.286-.221-.47-.19ZM10.165%202.387l-.037.065-3.395%201.249-3.345-1.212L6.88%201.21l3.285%201.178ZM13.437%201.177l-.088.073-3.057%201.127-3.034-1.082-.277-.133L10.151%200l3.286%201.177Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h17v20H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
To install, run
npx @tessl/cli install tessl/pypi-defusedxml@0.7.00
# DefusedXML
1
2
A comprehensive Python library that provides XML bomb protection for Python's standard library XML processing modules. DefusedXML offers secure alternatives to xml.etree.ElementTree, xml.sax, xml.dom.minidom, xml.dom.pulldom, and xml.parsers.expat by disabling dangerous features like external entity processing, DTD processing, and entity expansion that can be exploited for billion laughs attacks, quadratic blowup attacks, and external entity attacks.
3
4
## Package Information
5
6
- **Package Name**: defusedxml
7
- **Language**: Python
8
- **Installation**: `pip install defusedxml`
9
10
## Core Imports
11
12
```python
13
import defusedxml
14
from defusedxml import DefusedXmlException, DTDForbidden, EntitiesForbidden, ExternalReferenceForbidden, NotSupportedError
15
```
16
17
Drop-in replacements for stdlib modules:
18
19
```python
20
import defusedxml.ElementTree as ET # instead of xml.etree.ElementTree
21
import defusedxml.sax as sax # instead of xml.sax
22
import defusedxml.minidom as minidom # instead of xml.dom.minidom
23
import defusedxml.pulldom as pulldom # instead of xml.dom.pulldom
24
```
25
26
**Deprecated modules** (avoid in new code):
27
```python
28
import defusedxml.cElementTree as cET # DEPRECATED: use defusedxml.ElementTree instead
29
import defusedxml.lxml as lxml_defused # DEPRECATED: no longer supported, will be removed
30
```
31
32
## Basic Usage
33
34
```python
35
import defusedxml.ElementTree as ET
36
37
# Parse XML safely with default security restrictions
38
try:
39
# Parse from file
40
tree = ET.parse('document.xml')
41
root = tree.getroot()
42
43
# Parse from string
44
xml_string = '<root><item>value</item></root>'
45
root = ET.fromstring(xml_string)
46
47
# Access elements normally
48
for item in root.findall('item'):
49
print(item.text)
50
51
except ET.ParseError as e:
52
print(f"XML parsing error: {e}")
53
except defusedxml.DTDForbidden as e:
54
print(f"DTD processing forbidden: {e}")
55
except defusedxml.EntitiesForbidden as e:
56
print(f"Entity processing forbidden: {e}")
57
```
58
59
## Architecture
60
61
DefusedXML provides secure wrappers around Python's standard XML processing modules:
62
63
- **Core Security**: Common exception hierarchy and security parameter handling
64
- **Parser Wrappers**: Secure parsers that inherit from stdlib parsers but add security checks
65
- **Drop-in Replacements**: API-compatible modules that can replace stdlib imports
66
- **Configurable Security**: Three main security parameters control different attack vectors
67
68
The security model prevents XML-based attacks by:
69
- Blocking DTD processing (prevents external entity attacks and DTD processing attacks)
70
- Restricting entity expansion (prevents billion laughs and quadratic blowup attacks)
71
- Forbidding external references (prevents SSRF and local file access)
72
73
## Capabilities
74
75
### Exception Handling
76
77
Core exception classes for handling XML security violations and library-specific errors.
78
79
```python { .api }
80
class DefusedXmlException(ValueError):
81
"""Base exception for all defusedxml security violations"""
82
83
class DTDForbidden(DefusedXmlException):
84
"""Raised when DTD processing is attempted but forbidden"""
85
86
class EntitiesForbidden(DefusedXmlException):
87
"""Raised when entity processing is attempted but forbidden"""
88
89
class ExternalReferenceForbidden(DefusedXmlException):
90
"""Raised when external reference processing is attempted but forbidden"""
91
92
class NotSupportedError(DefusedXmlException):
93
"""Raised when an operation is not supported by the defused implementation"""
94
```
95
96
[Exception Handling](./exceptions.md)
97
98
### ElementTree Processing
99
100
Secure ElementTree-based XML parsing with configurable security restrictions, providing drop-in replacement for xml.etree.ElementTree with comprehensive protection against XML attacks.
101
102
```python { .api }
103
def parse(source, parser=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
104
def iterparse(source, events=None, parser=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
105
def fromstring(text, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
106
def XML(text, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
107
108
class DefusedXMLParser: ...
109
```
110
111
[ElementTree Processing](./elementtree.md)
112
113
### SAX Processing
114
115
Secure SAX-based XML parsing with event-driven processing and configurable security restrictions, providing drop-in replacement for xml.sax with protection against XML attacks.
116
117
```python { .api }
118
def parse(source, handler, errorHandler=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
119
def parseString(string, handler, errorHandler=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
120
def make_parser(parser_list=[]): ...
121
122
class DefusedExpatParser: ...
123
```
124
125
[SAX Processing](./sax.md)
126
127
### DOM Processing
128
129
Secure DOM-based XML parsing that builds complete document object models with configurable security restrictions, providing drop-in replacements for xml.dom.minidom and xml.dom.pulldom.
130
131
```python { .api }
132
# minidom functions
133
def parse(file, parser=None, bufsize=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
134
def parseString(string, parser=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
135
136
# pulldom functions
137
def parse(stream_or_string, parser=None, bufsize=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
138
def parseString(string, parser=None, forbid_dtd=False, forbid_entities=True, forbid_external=True): ...
139
```
140
141
[DOM Processing](./dom.md)
142
143
### XML-RPC Protection
144
145
Secure XML-RPC client and server protection with gzip bomb prevention, providing defused parsers and decompression limits for XML-RPC communications.
146
147
```python { .api }
148
def monkey_patch(): ...
149
def unmonkey_patch(): ...
150
def defused_gzip_decode(data, limit=None): ...
151
152
class DefusedExpatParser: ...
153
class DefusedGzipDecodedResponse: ...
154
```
155
156
[XML-RPC Protection](./xmlrpc.md)
157
158
### System-wide Protection
159
160
Experimental system-wide XML protection by monkey-patching all standard library XML modules with defused alternatives.
161
162
```python { .api }
163
def defuse_stdlib(): ...
164
```
165
166
[System-wide Protection](./stdlib-patching.md)
167
168
## Security Parameters
169
170
All parsing functions accept these security configuration parameters:
171
172
- `forbid_dtd` (bool, default: False): Forbid DTD processing to prevent DTD-based attacks
173
- `forbid_entities` (bool, default: True): Forbid entity expansion to prevent billion laughs attacks
174
- `forbid_external` (bool, default: True): Forbid external references to prevent SSRF and local file access
175
176
## Common Patterns
177
178
### Basic Secure Parsing
179
Use default security settings for maximum protection:
180
181
```python
182
import defusedxml.ElementTree as ET
183
root = ET.fromstring(xml_string) # Uses secure defaults
184
```
185
186
### Custom Security Configuration
187
Adjust security parameters based on trust level:
188
189
```python
190
# Allow DTDs but keep other protections
191
root = ET.fromstring(xml_string, forbid_dtd=False)
192
193
# Allow entities for trusted content
194
root = ET.fromstring(trusted_xml, forbid_entities=False)
195
```
196
197
### Exception Handling
198
Handle security violations gracefully:
199
200
```python
201
try:
202
root = ET.fromstring(untrusted_xml)
203
except defusedxml.DTDForbidden:
204
# Handle DTD processing attempt
205
except defusedxml.EntitiesForbidden:
206
# Handle entity expansion attempt
207
except defusedxml.ExternalReferenceForbidden:
208
# Handle external reference attempt
209
```