Comments (5)
So after some digging on this topic. Seems Python has a vendored version of expat embedded. This is the default version (at least for macOS and Windows). However, it does seem permitted
to use an external system level version. So maybe there is still a window of vulnerability there? In any case, the latest minor versions of Python 3.8 to 3.12 all vendor expat 2.5.0 now.
So it might make sense to deprecate or remove this check.
from bandit.
To see the vendored version of expat embedded in Python you can browse to:
https://github.com/python/cpython/blob/3.8/Modules/expat/expat.h#L1056C20-L1056C20
At the bottom of this header file you'll find the expat major, minor, and micro version.
from bandit.
However, I also found that the oldest version of Python 3.8, 3.8.0, which Bandit officially still supports does include an older, vulnerable version of expat 2.2.8:
https://github.com/python/cpython/blob/v3.8.0/Modules/expat/expat.h#L1016
The same can be found for Python 3.9.0:
https://github.com/python/cpython/blob/v3.9.0/Modules/expat/expat.h#L1016
Python 3.10.0 is the first minor version to have the fixed expat 2.4.1:
https://github.com/python/cpython/blob/v3.10.0/Modules/expat/expat.h#L1042
As such, we should leave this plugin check for xml.etree.ElementTree at least until 3.9.0
is end-of-life.
from bandit.
Expat 2.4.1 wasn't added to Python 3.8 till 3.8.12. Similar for 3.9, not until 3.9.7.
from bandit.
I also checked the latest patch for python 3.6 (3.6.15) and 3.7 (3.7.17), both are safe. only from (3.5 <=) latest patch didn't include the fix. I couldn't find their repo branches that I can refer to, but I just tested by running all possible 5 possible xml vulns.
might be useful to know.
from bandit.
Related Issues (20)
- Flag `markupsafe.Markup` on non-literal content HOT 5
- Mark use of `PKCS1v15` for encryption and decryption a vulnerability HOT 7
- ssh_no_host_key_verification is failing on Python 3.12
- OSSFuzz Integration HOT 1
- B411 error can't be resolved by the suggested change
- One test fails HOT 2
- Bandit container image.
- # nosec with bandit ID doesn't work properly sometimes HOT 4
- More Info hyperlink is broken HOT 3
- Official GitHub Action HOT 1
- Can we add a json schema to complete pyproject.toml's [tool.bandit]? HOT 1
- Publish to Test PyPI fails
- assert_used skips change in 1.7.7 HOT 2
- SARIF docs are not rendered HOT 2
- Do performance benchmark testing as part of build
- IndexError: list index out of range while scanning cpython
- complaining the feature that i am not using in the python library
- Lack of documentation for PyCQA/bandit-action
- bandit does not consistently detect extractall with TarFile HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from bandit.