Should one still use defusedxml instead of built-in XML libraries?

[martina-oefelein]

Ruff 0.0.259 adds several flake8-bandit rules that warn about using the built-in XML libraries, and recommend using defusedxml instead, see PR #3239

I wonder whether one should still use defusedxml in 2023. Reasons:

• The latest release of defusedxml is over two years old, and doesn't (officially) support any Python version newer than 3.9
• The author described the project as abondoned already in 2018:

Yes, the project is pretty much abandoned. The next versions of CPython 2.7, 3.6, and 3.7 as well as expat 2.3.0 will contain all necessary fixes.

• While the official documentation still marks the built-in XML libraries as vulnerable, they also contain this statement:

Expat 2.4.1 and newer is not vulnerable to the “billion laughs” and “quadratic blowup” vulnerabilities. Items still listed as vulnerable due to potential reliance on system-provided libraries. Check pyexpat.EXPAT_VERSION.

• expat is frequently updated, and these updates often contain security fixes. defusedxml doesn't address most of those security issues, so using a vulnerable version of expat with defusedxml isn't secure anyway.

So maybe the recommendation should be changed to "make sure your build of Python uses the expat 2.4.1 or newer"?

[charliermarsh]

Oh interesting! I was following Bandit's lead here.

I wonder if this decision is "bigger" than Ruff, since the Python documentation still recommends defusedxml:

defusedxml is a pure Python package with modified subclasses of all stdlib XML parsers that prevent any potentially malicious operation. Use of this package is recommended for any server code that parses untrusted XML data. The package also ships with example exploits and extended documentation on more XML exploits such as XPath injection.

[gboeing]

I wonder if this decision is "bigger" than Ruff, since the Python documentation still recommends defusedxml

See this recent conversation: https://discuss.python.org/t/status-of-defusedxml-and-recommendation-in-docs/34762/21