diff options
| author | mae <git@badat.dev> | 2023-08-05 14:13:49 +0200 |
|---|---|---|
| committer | mae <git@badat.dev> | 2023-08-05 14:17:04 +0200 |
| commit | 48b1e9bdc7382ec6ef33e95f2bd8674ae92f17b2 (patch) | |
| tree | 623433efceefe6deead177525714b216f1610829 | |
| parent | 17c336de66b757ef90e9e229d086c7b83fb1573e (diff) | |
| download | pleroma-48b1e9bdc7382ec6ef33e95f2bd8674ae92f17b2.tar.gz pleroma-48b1e9bdc7382ec6ef33e95f2bd8674ae92f17b2.zip | |
Completely disable xml entity resolution
| -rw-r--r-- | changelog.d/disable-xml-entity-resolution.security | 1 | ||||
| -rw-r--r-- | lib/pleroma/web/xml.ex | 2 | ||||
| -rw-r--r-- | test/fixtures/xml_billion_laughs.xml | 15 | ||||
| -rw-r--r-- | test/pleroma/web/xml_test.exs | 5 |
4 files changed, 22 insertions, 1 deletions
diff --git a/changelog.d/disable-xml-entity-resolution.security b/changelog.d/disable-xml-entity-resolution.security new file mode 100644 index 000000000..db8e12f67 --- /dev/null +++ b/changelog.d/disable-xml-entity-resolution.security @@ -0,0 +1 @@ +Disable XML entity resolution completely to fix a dos vulnerability diff --git a/lib/pleroma/web/xml.ex b/lib/pleroma/web/xml.ex index 380a80ab8..64329e4ba 100644 --- a/lib/pleroma/web/xml.ex +++ b/lib/pleroma/web/xml.ex @@ -31,7 +31,7 @@ defmodule Pleroma.Web.XML do |> :binary.bin_to_list() |> :xmerl_scan.string( quiet: true, - fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end + allow_entities: false ) {:ok, doc} diff --git a/test/fixtures/xml_billion_laughs.xml b/test/fixtures/xml_billion_laughs.xml new file mode 100644 index 000000000..75fb24cae --- /dev/null +++ b/test/fixtures/xml_billion_laughs.xml @@ -0,0 +1,15 @@ +<?xml version="1.0"?> +<!DOCTYPE lolz [ + <!ENTITY lol "lol"> + <!ELEMENT lolz (#PCDATA)> + <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> + <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;"> + <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> + <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> + <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> + <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> + <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> + <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> + <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> +]> +<lolz>&lol9;</lolz> diff --git a/test/pleroma/web/xml_test.exs b/test/pleroma/web/xml_test.exs index 89d4709b6..49306430b 100644 --- a/test/pleroma/web/xml_test.exs +++ b/test/pleroma/web/xml_test.exs @@ -3,6 +3,11 @@ defmodule Pleroma.Web.XMLTest do alias Pleroma.Web.XML + test "refuses to parse any entities from XML" do + data = File.read!("test/fixtures/xml_billion_laughs.xml") + assert(:error == XML.parse_document(data)) + end + test "refuses to load external entities from XML" do data = File.read!("test/fixtures/xml_external_entities.xml") assert(:error == XML.parse_document(data)) |