You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The use of xml.etree.ElementTree is known to be vulnerable to XML attacks, especially for parsing untrusted XML data. It is recommended to replace it with the defusedxml package.
In the pan-os-upgrade-assurance project we use python panos SDK which is using ElementTree as well and the method used for sending commands Firewall.op() returns an Element class object of xml.etree.ElementTree. However, an equivalent Element class is not present in the defusedxml.ElementTree which makes it hard to replace our use of xml.etree.ElementTree with defusedxml.
Following is the issue related to missing Element class in defusedxml. tiran/defusedxml#48
Currently we skip xml elementtree related complaints in security scanning. Considering we are only parsing XML returned from PANOS devices but not sending user input XML commands we don't expect a security threat.
The text was updated successfully, but these errors were encountered:
The use of
xml.etree.ElementTreeis known to be vulnerable to XML attacks, especially for parsing untrusted XML data. It is recommended to replace it with thedefusedxmlpackage.In the pan-os-upgrade-assurance project we use python panos SDK which is using ElementTree as well and the method used for sending commands
Firewall.op()returns an Element class object of xml.etree.ElementTree. However, an equivalentElementclass is not present in thedefusedxml.ElementTreewhich makes it hard to replace our use ofxml.etree.ElementTreewithdefusedxml.Following is the issue related to missing Element class in defusedxml.
tiran/defusedxml#48
Currently we skip xml elementtree related complaints in security scanning. Considering we are only parsing XML returned from PANOS devices but not sending user input XML commands we don't expect a security threat.
The text was updated successfully, but these errors were encountered: