You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 14, 2021. It is now read-only.
Parsing XML from sources you don't control opens the door for multiple XML parser vulnerabilities. lxml prevents some, but not all, with quadratic blowup being one of them. Switching to defusedxml would fix this.
Expected Behavior
nexpose-client-python should avoid entity expansion when parsing incoming XML.
Current Behavior
nexpose-client-python may open up the user to XML parser vulnerabilities if pointed at a fake nexpose instance.
Possible Solution
Use defusedxml, which is a drop-in replacement for lxml.
Parsing XML from sources you don't control opens the door for multiple XML parser vulnerabilities. lxml prevents some, but not all, with quadratic blowup being one of them. Switching to defusedxml would fix this.
Expected Behavior
nexpose-client-python should avoid entity expansion when parsing incoming XML.
Current Behavior
nexpose-client-python may open up the user to XML parser vulnerabilities if pointed at a fake nexpose instance.
Possible Solution
Use defusedxml, which is a drop-in replacement for lxml.