# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. # SPDX-License-Identifier: Apache-2.0 # {fact rule=xml-external-entity@v1.0 defects=1} def xml_parse_noncompliant(): from lxml import etree # Noncompliant: resolve_entities is not disabled # and is set to true by default. parser = etree.XMLParser() tree1 = etree.parse('resources/xxe.xml', parser) # {/fact} # {fact rule=xml-external-entity@v1.0 defects=0} def xml_parse_compliant(): from lxml import etree # Compliant: resolve_entities is disabled. parser = etree.XMLParser(resolve_entities=False) tree1 = etree.parse('resources/xxe.xml', parser) # {/fact}