drawio-generator
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTION
Full Analysis
- [Unsafe XML Parsing] (MEDIUM): The validation script
scripts/validate_drawio.pyuses thexml.etree.ElementTreelibrary to process XML data. - Evidence: The script imports
xml.etree.ElementTreeand callsET.fromstring(content)on the contents of a.drawiofile in thevalidate_drawiofunction. - Risk: The default
ElementTreeparser is not secure against maliciously constructed data. Specifically, it is vulnerable to XML entity expansion attacks (such as the "Billion Laughs" attack), which can lead to a Denial of Service (DoS) by exhausting system memory. While modern Python versions mitigate some external entity risks, the parser still lacks the necessary resource constraints for safely handling untrusted XML input.
Audit Metadata