How to use the defusedxml.pulldom.parse function in defusedxml
To help you get started, we’ve selected a few defusedxml examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
RUB-NDS / DTD-Attacks / code / python / pulldom / testDefusedPulldom.py View on Github 
def testXInclude(self):
file = '../../xml_files_windows/xinclude.xml'
tagName = "data"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
self.assertEqual("xi:include", node.firstChild.nodeName )def testParameterEntity_doctype(self):
file = '../../xml_files_windows/xxep/parameterEntity_doctype.xml'
tagName = "data"
with self.assertRaises(ExternalReferenceForbidden):
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)def testURLInvocation_XInclude(self):
#Reset the server back to "0"
r = requests.get(self._URL_+"/reset")
r = requests.get(self._URL_ +"/getCounter")
request_content = r.text.replace("\r\n","")
self.assertEqual("0", request_content)
file = '../../xml_files_windows/ssrf/url_invocation_xinclude.xml'
tagName = "data"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
#Check if a request has been made
r = requests.get(self._URL_ +"/getCounter")
request_content = r.text.replace("\r\n","")
self.assertEqual("0", request_content)def testXXE(self):
file = '../../xml_files_windows/xxe/xxe.xml'
tagName = "data"
with self.assertRaises(EntitiesForbidden):
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)def testURLInvocation_noNamespaceSchemaLocation(self):
#Reset the server back to "0"
r = requests.get(self._URL_+"/reset")
r = requests.get(self._URL_ +"/getCounter")
request_content = r.text.replace("\r\n","")
self.assertEqual("0", request_content)
file = '../../xml_files_windows/ssrf/url_invocation_noNamespaceSchemaLocation.xml'
tagName = "data"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
#Check if a request has been made
r = requests.get(self._URL_ +"/getCounter")
request_content = r.text.replace("\r\n","")
self.assertEqual("0", request_content)def testDOS_core(self):
file = '../../xml_files_windows/dos/dos_core.xml'
tagName = "data"
with self.assertRaises(EntitiesForbidden):
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)def testInternalSubset_ExternalPEReferenceInDTD(self):
file = '../../xml_files_windows/xxep/internalSubset_ExternalPEReferenceInDTD.xml'
tagName = "data"
with self.assertRaises(EntitiesForbidden):
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)def testDOS_entitySize(self):
file = '../../xml_files_windows/dos/dos_entitySize.xml'
tagName = "data"
with self.assertRaises(EntitiesForbidden):
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)def testDefault_noAttack(self):
file = '../../xml_files_windows/standard.xml'
tagName = "data"
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
self.assertEqual("data",node.nodeName)
self.assertEqual("4",node.firstChild.data)def testURLInvocation_parameterEntity(self):
#Reset the server back to "0"
r = requests.get(self._URL_+"/reset")
r = requests.get(self._URL_ +"/getCounter")
request_content = r.text.replace("\r\n","")
self.assertEqual("0", request_content)
file = '../../xml_files_windows/ssrf/url_invocation_parameterEntity.xml'
tagName = "data"
with self.assertRaises(EntitiesForbidden):
doc = _DEFUSED.parse(file)
for event, node in doc:
if event == _PULLDOM.START_ELEMENT and node.tagName == tagName:
doc.expandNode(node)
#Check if a request has been made
r = requests.get(self._URL_ +"/getCounter")
request_content = r.text.replace("\r\n","")
self.assertEqual("0", request_content)defusedxml
XML bomb protection for Python stdlib modules
Package Health Score
70 / 100Popular defusedxml functions
- defusedxml.cElementTree
- defusedxml.cElementTree.fromstring
- defusedxml.cElementTree.parse
- defusedxml.ElementTree
- defusedxml.ElementTree.Element
- defusedxml.ElementTree.fromstring
- defusedxml.ElementTree.parse
- defusedxml.ElementTree.ParseError
- defusedxml.ElementTree.SubElement
- defusedxml.ElementTree.tostring
- defusedxml.lxml
- defusedxml.lxml._etree
- defusedxml.lxml._etree.ElementTree
- defusedxml.lxml._etree.parse
- defusedxml.lxml.fromstring
- defusedxml.lxml.parse
- defusedxml.minidom.parse
- defusedxml.minidom.parseString
- defusedxml.pulldom.parse
- defusedxml.xmlrpc