Skip to content

fix: add XXE protection for XML parsing#623

Open
Correctover wants to merge 1 commit into
PaloAltoNetworks:developfrom
Correctover:fix/xml-safety-xxe-protection
Open

fix: add XXE protection for XML parsing#623
Correctover wants to merge 1 commit into
PaloAltoNetworks:developfrom
Correctover:fix/xml-safety-xxe-protection

Conversation

@Correctover

Copy link
Copy Markdown

Security fix for issue #617 Finding 1: Unsafe XML parser.

Added panos/_xml_safety.py with safe_fromstring() that blocks XXE attacks (ENTITY/DOCTYPE with internal subset). Works on Python 2.7+ (defense-in-depth for < 3.11).

Changes:

  • panos/_xml_safety.py: XXE protection module
  • panos/userid.py: Use safe_fromstring() (2 locations)
  • tests/test_xml_safety.py: 6 tests, all pass

Backward compatible, no new dependencies.

Note on Finding 2 (SHA-1): PAN-OS protocol constraint, not SDK-fixable.

Add _xml_safety module with safe_fromstring() and safe_parse() functions
that detect and block XML External Entity (XXE) attack patterns before
parsing.

Changes:
- panos/_xml_safety.py: New module with XXE protection
- panos/userid.py: Replace ET.fromstring() with safe_fromstring()
- tests/test_xml_safety.py: 6 test cases covering safe/unsafe XML

Defense-in-depth for Python < 3.11 (expat 2.6.0+ has built-in protection).
Backward compatible - normal XML parsing unaffected.

Resolves PaloAltoNetworks#617 (Finding 1: Unsafe XML parser)
@Correctover

Copy link
Copy Markdown
Author

Still relevant — Adds critical XXE protection for XML parsing. Happy to rebase or adjust if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant