Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing to validate the xml value #121

Open
sahnaseredini opened this issue Aug 25, 2023 · 0 comments
Open

Failing to validate the xml value #121

sahnaseredini opened this issue Aug 25, 2023 · 0 comments

Comments

@sahnaseredini
Copy link

I'm having a look at the source code and dasbus/xml.py caught my attention. xml.etree.ElementTree and
xml.dom.minidom are being imported and used without checking the validity of the xml passed to them. Therefore, in case a malicious xml is passed to them it can cause problems such as crashing the server.
Also, I believe this will not have a security implication since if an attacker gains access to the server code they don't need this issue! And the code is not accessible from the client side either. Having said that, I wanted let you know about this issue and ask if you could possibly address it. Thanks.

Here's a quick example by changing a couple of lines in the hello world example in the project that would show the issue.

#
# Run the service org.example.HelloWorld.
#
from dasbus.loop import EventLoop
from dasbus.server.interface import dbus_interface
from dasbus.typing import Str
from common import HELLO_WORLD, SESSION_BUS
from dasbus.xml import XMLGenerator

# Amir added the following variable:
xml_str = '''<?xml version="1.0"?>
<!DOCTYPE bomb [
<!ENTITY a "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
]>
<bomb>&a;</bomb>
'''


@dbus_interface(HELLO_WORLD.interface_name)
class HelloWorld(object):
    """The DBus interface for HelloWorld."""

    def Hello(self, name: Str) -> Str:
        """Generate a greeting.

        :param name: someone to say hello
        :return: a greeting
        """
        return "Hello {}!".format(name)


if __name__ == "__main__":
    # Print the generated XML specification.
    # print(XMLGenerator.prettify_xml(HelloWorld.__dbus_xml__))

    # Amir added the following line:
    print(XMLGenerator.prettify_xml(xml_str))

    try:
        # Create an instance of the class HelloWorld.
        hello_world = HelloWorld()

        # Publish the instance at /org/example/HelloWorld.
        SESSION_BUS.publish_object(HELLO_WORLD.object_path, hello_world)

        # Register the service name org.example.HelloWorld.
        SESSION_BUS.register_service(HELLO_WORLD.service_name)

        # Start the event loop.
        loop = EventLoop()
        loop.run()
    finally:
        # Unregister the DBus service and objects.
        SESSION_BUS.disconnect()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sahnaseredini