# Buildsheet autogenerated by ravenadm tool -- Do not edit. NAMEBASE= python-defusedxml VERSION= 0.6.0 KEYWORDS= python VARIANTS= py38 py37 SDESC[py37]= XML bomb protection for stdlib modules (PY37) SDESC[py38]= XML bomb protection for stdlib modules (PY38) HOMEPAGE= https://github.com/tiran/defusedxml CONTACT= Python_Automaton[python@ironwolf.systems] DOWNLOAD_GROUPS= main SITES[main]= PYPI/d/defusedxml DISTFILE[1]= defusedxml-0.6.0.tar.gz:main DF_INDEX= 1 SPKGS[py37]= single SPKGS[py38]= single OPTIONS_AVAILABLE= PY38 PY37 OPTIONS_STANDARD= none VOPTS[py37]= PY38=OFF PY37=ON VOPTS[py38]= PY38=ON PY37=OFF DISTNAME= defusedxml-0.6.0 GENERATED= yes [PY37].USES_ON= python:py37 [PY38].USES_ON= python:py38 [FILE:3457:descriptions/desc.single] =================================================== defusedxml -- defusing XML bombs and other exploits =================================================== :alt: Latest Version :alt: Supported Python versions :alt: Travis CI :alt: codecov :alt: PyPI downloads :alt: Code style: black .. "It's just XML, what could probably go wrong?" Christian Heimes Synopsis ======== The results of an attack on a vulnerable XML library can be fairly dramatic. With just a few hundred **Bytes** of XML data an attacker can occupy several **Gigabytes** of memory within **seconds**. An attacker can also keep CPUs busy for a long time with a small to medium size request. Under some circumstances it is even possible to access local files on your server, to circumvent a firewall, or to abuse services to rebound attacks to third parties. The attacks use and abuse less common features of XML and its parsers. The majority of developers are unacquainted with features such as processing instructions and entity expansions that XML inherited from SGML. At best they know about ```` from experience with HTML but they are not aware that a document type definition (DTD) can generate an HTTP request or load a file from the file system. None of the issues is new. They have been known for a long time. Billion laughs was first reported in 2003. Nevertheless some XML libraries and applications are still vulnerable and even heavy users of XML are surprised by these features. It's hard to say whom to blame for the situation. It's too short sighted to shift all blame on XML parsers and XML libraries for using insecure default settings. After all they properly implement XML specifications. Application developers must not rely that a library is always configured for security and potential harmful data by default. .. contents:: Table of Contents :depth: 2 Attack vectors ============== billion laughs / exponential entity expansion --------------------------------------------- The `Billion Laughs`_ attack -- also known as exponential entity expansion -- uses multiple levels of nested entities. The original example uses 9 levels of 10 expansions in each level to expand the string lol to a string of 3 * 10 :sup:`9` bytes, hence the name "billion laughs". The resulting string occupies 3 GB (2.79 GiB) of memory; intermediate strings require additional memory. Because most parsers don't cache the intermediate step for every expansion it is repeated over and over again. It increases the CPU load even more. An XML document of just a few hundred bytes can disrupt all services on a machine within seconds. Example XML:: ]> &d; quadratic blowup entity expansion --------------------------------- A quadratic blowup attack is similar to a `Billion Laughs`_ attack; it abuses entity expansion, too. Instead of nested entities it repeats one large entity with a couple of thousand chars over and over again. The attack isn't as efficient as the exponential case but it avoids triggering countermeasures of parsers against heavily nested entities. Some parsers limit the depth and breadth of a single entity but not the total amount of expanded text throughout an entire XML document. [FILE:102:distinfo] f684034d135af4c6cbb949b8a4d2ed61634515257a67299e5f940fbaa34377f5 62670 defusedxml-0.6.0.tar.gz