nyx/tests/dynamic_fixtures/xxe/python/vuln.py

"""Phase 05 (Track J.3) — Python XXE vuln fixture.

The function pulls XML bytes off the request and feeds them straight
to `lxml.etree.XMLParser(resolve_entities=True)`, so any
`<!ENTITY xxe SYSTEM "file:///…">` in the payload is resolved and its
body substituted into the parsed tree.
"""
from lxml import etree


def run(body: bytes):
    parser = etree.XMLParser(resolve_entities=True)
    return etree.fromstring(body, parser=parser)
Dynamic (#77) 2026-06-05 10:16:30 -05:00			`"""Phase 05 (Track J.3) — Python XXE vuln fixture.`

			`The function pulls XML bytes off the request and feeds them straight`
			to `lxml.etree.XMLParser(resolve_entities=True)`, so any
			`<!ENTITY xxe SYSTEM "file:///…">` in the payload is resolved and its
			`body substituted into the parsed tree.`
			`"""`
			`from lxml import etree`


			`def run(body: bytes):`
			`parser = etree.XMLParser(resolve_entities=True)`
			`return etree.fromstring(body, parser=parser)`