apunkt/nyx
1
0
Fork 0
mirror of https://github.com/elicpeter/nyx.git synced 2026-06-21 20:18:06 +02:00
Code Issues Projects Releases Packages Wiki Activity

new capacity bits (#67)

Browse source
This commit is contained in:
Eli Peter 2026-05-07 01:29:31 -04:00 committed by GitHub
parent afaffc0df6
commit 7d0e7320e2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
261 changed files with 10591 additions and 231 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tests/fixtures/xxe/python/irrelevant_xml_call.py vendored Normal file
View file

@ -0,0 +1,8 @@
# Baseline: tainted body flows through a non-parser string operation.
# No XML parser entry point, no XXE label classification.
from flask import request
def handle():
body = request.args.get("xml")
return "<wrap>" + body + "</wrap>"

10
tests/fixtures/xxe/python/safe_lxml.py vendored Normal file
View file

@ -0,0 +1,10 @@
# Safe: lxml.etree.parse is XXE-safe by default in modern lxml — external
# entities are not resolved unless `XMLParser(resolve_entities=True)` is
# passed in. No XXE rule should fire here.
import lxml.etree
from flask import request
def handle():
body = request.args.get("xml")
return lxml.etree.parse(body)

9
tests/fixtures/xxe/python/safe_xxe.py vendored Normal file
View file

@ -0,0 +1,9 @@
# Safe: tainted XML routed through defusedxml, which strips external-entity
# resolution. Treated as a Sanitizer(XXE), so taint-xxe stays clean.
import defusedxml.ElementTree
from flask import request
def handle():
body = request.args.get("xml")
tree = defusedxml.ElementTree.fromstring(body)
return tree

16
tests/fixtures/xxe/python/unsafe_lxml_resolve_entities.py vendored Normal file
View file

@ -0,0 +1,16 @@
# Unsafe: tainted XML reaches an lxml.etree.XMLParser instance whose
# constructor was explicitly opted into entity resolution
# (`resolve_entities=True`). lxml is XXE-safe by default, but this
# opt-in form is the documented unsafe escape hatch. The
# constructor-driven fact is captured in XmlParserConfigResult
# (external_entities=True) and the parser.feed(xml) call adds
# Cap::XXE on top of the otherwise empty sink_caps.
from lxml import etree
from flask import request
def handle():
body = request.args.get("xml")
parser = etree.XMLParser(resolve_entities=True)
parser.feed(body)
return parser.close()

8
tests/fixtures/xxe/python/unsafe_xxe.py vendored Normal file
View file

@ -0,0 +1,8 @@
# Unsafe: tainted XML reaches xml.sax.parseString, which is XXE-vulnerable
# by default in Python's stdlib.
import xml.sax
from flask import request
def handle():
body = request.args.get("xml")
return xml.sax.parseString(body, MyHandler())