Completely disable xml entity resolution

This commit is contained in:
mae 2023-08-05 14:13:49 +02:00
parent 17c336de66
commit 48b1e9bdc7
4 changed files with 22 additions and 1 deletions

View file

@ -0,0 +1 @@
Disable XML entity resolution completely to fix a dos vulnerability

View file

@ -31,7 +31,7 @@ defmodule Pleroma.Web.XML do
|> :binary.bin_to_list() |> :binary.bin_to_list()
|> :xmerl_scan.string( |> :xmerl_scan.string(
quiet: true, quiet: true,
fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end allow_entities: false
) )
{:ok, doc} {:ok, doc}

15
test/fixtures/xml_billion_laughs.xml vendored Normal file
View file

@ -0,0 +1,15 @@
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

View file

@ -3,6 +3,11 @@ defmodule Pleroma.Web.XMLTest do
alias Pleroma.Web.XML alias Pleroma.Web.XML
test "refuses to parse any entities from XML" do
data = File.read!("test/fixtures/xml_billion_laughs.xml")
assert(:error == XML.parse_document(data))
end
test "refuses to load external entities from XML" do test "refuses to load external entities from XML" do
data = File.read!("test/fixtures/xml_external_entities.xml") data = File.read!("test/fixtures/xml_external_entities.xml")
assert(:error == XML.parse_document(data)) assert(:error == XML.parse_document(data))