Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Qualys WebApp parser to use DefusedXML #10637

Merged
merged 2 commits into from
Jul 29, 2024
Merged

Update Qualys WebApp parser to use DefusedXML #10637

merged 2 commits into from
Jul 29, 2024

Conversation

Maffooch
Copy link
Contributor

@Maffooch Maffooch commented Jul 26, 2024
edited
Loading

The Qualys WebApp parser is not using defusedXML like the rest of the parsers. This needs to change as defusedXML is widely considered to be the more secure option

[sc-7039]

@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Jul 26, 2024
edited
Loading

DryRun Security Summary

The provided code change focuses on enhancing the security of the Qualys WebApp parser by addressing a potential XML External Entity (XXE) vulnerability through the use of the defusedxml.ElementTree module and the ElementTree.parse() function from the defusedxml module.

Expand for full summary

Summary:

The provided code change is focused on enhancing the security of the Qualys WebApp parser by addressing a potential XML External Entity (XXE) vulnerability. The key changes include:

  1. Replacing the use of the standard xml.etree.ElementTree module with the defusedxml.ElementTree module, which is designed to prevent XXE attacks.
  2. Updating the xml.etree.ElementTree.parse() function call to use the ElementTree.parse() function from the defusedxml module.

These changes are a proactive security measure to mitigate the risk of XXE vulnerabilities in the Qualys WebApp parser. XXE vulnerabilities can allow attackers to access sensitive data or perform other malicious actions, so replacing the standard XML parsing library with a more secure alternative is a recommended security practice.

Files Changed:

  • dojo/tools/qualys_webapp/parser.py: This file has been updated to replace the use of the standard xml.etree.ElementTree module with the defusedxml.ElementTree module, and the xml.etree.ElementTree.parse() function call has been updated to use the ElementTree.parse() function from the defusedxml module. These changes are intended to address potential XXE vulnerabilities in the Qualys WebApp parser.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

mtesauro
mtesauro approved these changes Jul 27, 2024
View reviewed changes
Copy link
Contributor

@mtesauro mtesauro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved

@manuel-sommer
Copy link
Contributor

Hi @Maffooch .
Do you think this PR does have a chance to get merged: #9840 ?

@mtesauro mtesauro merged commit 04f5e08 into DefectDojo:bugfix Jul 29, 2024
126 checks passed
@Maffooch Maffooch deleted the xml branch August 6, 2024 17:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blakeaowens blakeaowens blakeaowens approved these changes

@hblankenship hblankenship hblankenship approved these changes

@mtesauro mtesauro mtesauro approved these changes

@cneill cneill cneill approved these changes

Assignees
No one assigned
Labels
bugfix parser
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Maffooch @manuel-sommer @cneill @mtesauro @hblankenship @blakeaowens