Hi, there are several security issues in the code found in this repository.
The first is that
|
file = open(os.path.join(self.dir,name), 'wb') |
is vulnerable to path traversal. It needs to filter out path traversal characters (e.g. take the
basename of a given file) or generate its own filename(s) or consume the xml without writing it to the file system to fix this issue.
Another issue that seemingly exists is
XXE(https://en.wikipedia.org/wiki/XML_external_entity_attack) when
parsing dmarc xml reports. This appears to be in
https://github.com/thinkingserious/sendgrid-python-dmarc-parser/blob/master/dmarc_parser/parse_dmarc.py#L26
and can be fixed by making use of https://pypi.org/project/defusedxml/ .
Hi, there are several security issues in the code found in this repository.
The first is that
sendgrid-python-dmarc-parser/dmarc_parser/unzip.py
Line 28 in 9cfac09
basenameof a given file) or generate its own filename(s) or consume the xml without writing it to the file system to fix this issue.Another issue that seemingly exists is
XXE(https://en.wikipedia.org/wiki/XML_external_entity_attack) when
parsing dmarc xml reports. This appears to be in
https://github.com/thinkingserious/sendgrid-python-dmarc-parser/blob/master/dmarc_parser/parse_dmarc.py#L26
and can be fixed by making use of https://pypi.org/project/defusedxml/ .