Merge pull request 'Completely disable xml entity resolution' (#614) from MaeIsBad/akkoma:completely-disable-xml-entity-resolution into develop
Reviewed-on: #614
This commit is contained in:
commit
643e7dd7c1
4 changed files with 22 additions and 2 deletions
|
@ -39,7 +39,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
||||||
## Security
|
## Security
|
||||||
|
|
||||||
- Add `no_new_privs` hardening to OpenRC and systemd service files
|
- Add `no_new_privs` hardening to OpenRC and systemd service files
|
||||||
- Ensured that XML parsers cannot load external entities (thanks @Mae@is.badat.dev!)
|
- XML parsers cannot load any entities (thanks @Mae@is.badat.dev!)
|
||||||
- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
|
- Reduced permissions of config files and directories, distros requiring greater permissions like group-read need to pre-create the directories
|
||||||
|
|
||||||
## Removed
|
## Removed
|
||||||
|
|
|
@ -31,7 +31,7 @@ def parse_document(text) do
|
||||||
|> :binary.bin_to_list()
|
|> :binary.bin_to_list()
|
||||||
|> :xmerl_scan.string(
|
|> :xmerl_scan.string(
|
||||||
quiet: true,
|
quiet: true,
|
||||||
fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end
|
allow_entities: false
|
||||||
)
|
)
|
||||||
|
|
||||||
{:ok, doc}
|
{:ok, doc}
|
||||||
|
|
15
test/fixtures/xml_billion_laughs.xml
vendored
Normal file
15
test/fixtures/xml_billion_laughs.xml
vendored
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<!DOCTYPE lolz [
|
||||||
|
<!ENTITY lol "lol">
|
||||||
|
<!ELEMENT lolz (#PCDATA)>
|
||||||
|
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
|
||||||
|
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
|
||||||
|
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
|
||||||
|
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
|
||||||
|
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
|
||||||
|
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
|
||||||
|
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
|
||||||
|
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
|
||||||
|
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
|
||||||
|
]>
|
||||||
|
<lolz>&lol9;</lolz>
|
|
@ -3,6 +3,11 @@ defmodule Pleroma.Web.XMLTest do
|
||||||
|
|
||||||
alias Pleroma.Web.XML
|
alias Pleroma.Web.XML
|
||||||
|
|
||||||
|
test "refuses to parse any entities from XML" do
|
||||||
|
data = File.read!("test/fixtures/xml_billion_laughs.xml")
|
||||||
|
assert(:error == XML.parse_document(data))
|
||||||
|
end
|
||||||
|
|
||||||
test "refuses to load external entities from XML" do
|
test "refuses to load external entities from XML" do
|
||||||
data = File.read!("test/fixtures/xml_external_entities.xml")
|
data = File.read!("test/fixtures/xml_external_entities.xml")
|
||||||
assert(:error == XML.parse_document(data))
|
assert(:error == XML.parse_document(data))
|
||||||
|
|
Loading…
Reference in a new issue