fixed issue #87

.travis.yml

@@ -16,6 +16,7 @@ before_install:
   - "sudo apt-get install nmap -qq"
 install:
   - "pip install flake8"
+  - "pip install defusedxml"
   # - "pip install boto" # disabled: since boto not supporting py3
   # - "pip install pymongo sqlalchemy MySQL-python" # disabled MySQL-python (not py3 compatible)
   # - "pip install pymongo sqlalchemy pymysql"

CHANGES.txt

@@ -1,3 +1,4 @@
+v0.7.1, 22/11/2020 -- code clean-up + fix for CVE-2019-1010017
 v0.7.0, 28/02/2016 -- A few bugfixes
                     - fixe of endless loop in Nmap.Process. Fix provided by @rcarrillo, many thanks!
 v0.6.3, 18/08/2015 -- Merged pull requests for automatic pypi upload, thanks @bmx0r

TODO

@@ -1,3 +1,8 @@
+0.7.1: - clean-up blacked code and pylint it 
+0.7.1: - add unittest for defusedxml
+           - billionlaugh and external entities
+0.7.1: - add CSV backend support
+0.7.1: - Change License
 - improve API for NSE scripts
 - add support for post,pre and host scripts
 - complete unit tests with coverall support

examples/check_cpe.py

@@ -5,27 +5,34 @@
 
 rep = NmapParser.parse_fromfile("libnmap/test/files/full_sudo6.xml")
 
-print("Nmap scan discovered {0}/{1} hosts up".format(rep.hosts_up,
-                                                     rep.hosts_total))
+print(
+    "Nmap scan discovered {0}/{1} hosts up".format(
+        rep.hosts_up, rep.hosts_total
+    )
+)
 for _host in rep.hosts:
     if _host.is_up():
-        print("+ Host: {0} {1}".format(_host.address,
-                                       " ".join(_host.hostnames)))
+        print(
+            "+ Host: {0} {1}".format(_host.address, " ".join(_host.hostnames))
+        )
 
         # get CPE from service if available
         for s in _host.services:
-            print("    Service: {0}/{1} ({2})".format(s.port,
-                                                      s.protocol,
-                                                      s.state))
+            print(
+                "    Service: {0}/{1} ({2})".format(
+                    s.port, s.protocol, s.state
+                )
+            )
             # NmapService.cpelist returns an array of CPE objects
             for _serv_cpe in s.cpelist:
                 print("        CPE: {0}".format(_serv_cpe.cpestring))
 
         if _host.os_fingerprinted:
             print("  OS Fingerprints")
             for osm in _host.os.osmatches:
-                print("    Found Match:{0} ({1}%)".format(osm.name,
-                                                          osm.accuracy))
+                print(
+                    "    Found Match:{0} ({1}%)".format(osm.name, osm.accuracy)
+                )
                 # NmapOSMatch.get_cpe() method return an array of string
                 # unlike NmapOSClass.cpelist which returns an array of CPE obj
                 for cpe in osm.get_cpe():

examples/diff_sample2.py

@@ -66,7 +66,9 @@ def print_diff(obj1, obj2):
 
 
 def main():
-    newrep = NmapParser.parse_fromfile("libnmap/test/files/2_hosts_achange.xml")
+    newrep = NmapParser.parse_fromfile(
+        "libnmap/test/files/2_hosts_achange.xml"
+    )
     oldrep = NmapParser.parse_fromfile("libnmap/test/files/1_hosts.xml")
 
     print_diff(newrep, oldrep)

examples/elastikibana.py

@@ -27,10 +27,9 @@ def get_os(nmap_host):
         cpelist = nmap_host.os.os_cpelist()
         if len(cpelist):
             mcpe = cpelist.pop()
-            rval.update({
-                    "vendor": mcpe.get_vendor(),
-                    "product": mcpe.get_product()
-            })
+            rval.update(
+                {"vendor": mcpe.get_vendor(), "product": mcpe.get_product()}
+            )
     return rval
 
 

examples/nmap_task.py

@@ -9,10 +9,7 @@ def mycallback(nmaptask):
     if nmaptask:
         print(
             "Task {0} ({1}): ETC: {2} DONE: {3}%".format(
-                nmaptask.name,
-                nmaptask.status,
-                nmaptask.etc,
-                nmaptask.progress
+                nmaptask.name, nmaptask.status, nmaptask.etc, nmaptask.progress
             )
         )
 

examples/nmap_task_bg.py

@@ -10,10 +10,7 @@
     if nmaptask:
         print(
             "Task {0} ({1}): ETC: {2} DONE: {3}%".format(
-                nmaptask.name,
-                nmaptask.status,
-                nmaptask.etc,
-                nmaptask.progress
+                nmaptask.name, nmaptask.status, nmaptask.etc, nmaptask.progress
             )
         )
 print("rc: {0} output: {1}".format(nmap_proc.rc, nmap_proc.summary))

libnmap/parser.py

@@ -2,9 +2,13 @@
 
 
 try:
-    import xml.etree.cElementTree as ET
+    import defusedxml.ElementTree as ET
 except ImportError:
-    import xml.etree.ElementTree as ET
+    try:
+        import xml.etree.cElementTree as ET
+    except ImportError:
+        import xml.etree.ElementTree as ET
+from xml.etree.ElementTree import iselement as et_iselement
 from libnmap.objects import NmapHost, NmapService, NmapReport
 
 
@@ -701,7 +705,7 @@ def __format_element(elt_data):
                     "to instanciate XML Element from "
                     "string {0} - {1}".format(elt_data, e)
                 )
-        elif ET.iselement(elt_data):
+        elif et_iselement(elt_data):
             xelement = elt_data
         else:
             raise NmapParserException(
@@ -724,7 +728,7 @@ def __format_attributes(elt_data):
         """
 
         rval = {}
-        if not ET.iselement(elt_data):
+        if not et_iselement(elt_data):
             raise NmapParserException(
                 "Error while trying to parse supplied "
                 "data attributes: format is not XML or "

libnmap/test/files/defused_et_included.xml

@@ -0,0 +1,6 @@
+<!-- comment -->
+<root>
+    <element key='value'>text</element>
+    <element>text</element>tail
+    <empty-element/>
+ </root>

libnmap/test/files/defused_et_local_includer.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0"?>
+<!DOCTYPE external [
+<!ENTITY ee SYSTEM "file://./simple.xml">
+]>
+<root>&ee;</root>