From 48b1e9bdc7382ec6ef33e95f2bd8674ae92f17b2 Mon Sep 17 00:00:00 2001 From: mae Date: Sat, 5 Aug 2023 14:13:49 +0200 Subject: [PATCH] Completely disable xml entity resolution --- .../disable-xml-entity-resolution.security | 1 + lib/pleroma/web/xml.ex | 2 +- test/fixtures/xml_billion_laughs.xml | 15 +++++++++++++++ test/pleroma/web/xml_test.exs | 5 +++++ 4 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 changelog.d/disable-xml-entity-resolution.security create mode 100644 test/fixtures/xml_billion_laughs.xml diff --git a/changelog.d/disable-xml-entity-resolution.security b/changelog.d/disable-xml-entity-resolution.security new file mode 100644 index 000000000..db8e12f67 --- /dev/null +++ b/changelog.d/disable-xml-entity-resolution.security @@ -0,0 +1 @@ +Disable XML entity resolution completely to fix a dos vulnerability diff --git a/lib/pleroma/web/xml.ex b/lib/pleroma/web/xml.ex index 380a80ab8..64329e4ba 100644 --- a/lib/pleroma/web/xml.ex +++ b/lib/pleroma/web/xml.ex @@ -31,7 +31,7 @@ def parse_document(text) do |> :binary.bin_to_list() |> :xmerl_scan.string( quiet: true, - fetch_fun: fn _, _ -> raise "Resolving external entities not supported" end + allow_entities: false ) {:ok, doc} diff --git a/test/fixtures/xml_billion_laughs.xml b/test/fixtures/xml_billion_laughs.xml new file mode 100644 index 000000000..75fb24cae --- /dev/null +++ b/test/fixtures/xml_billion_laughs.xml @@ -0,0 +1,15 @@ + + + + + + + + + + + + +]> +&lol9; diff --git a/test/pleroma/web/xml_test.exs b/test/pleroma/web/xml_test.exs index 89d4709b6..49306430b 100644 --- a/test/pleroma/web/xml_test.exs +++ b/test/pleroma/web/xml_test.exs @@ -3,6 +3,11 @@ defmodule Pleroma.Web.XMLTest do alias Pleroma.Web.XML + test "refuses to parse any entities from XML" do + data = File.read!("test/fixtures/xml_billion_laughs.xml") + assert(:error == XML.parse_document(data)) + end + test "refuses to load external entities from XML" do data = File.read!("test/fixtures/xml_external_entities.xml") assert(:error == XML.parse_document(data))