Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xml.dom.minidom.parseString to parse untrusted XML is vulnerable to attack #346

Closed
1 of 2 tasks
cclauss opened this issue Nov 24, 2017 · 6 comments · Fixed by #378
Closed
1 of 2 tasks

xml.dom.minidom.parseString to parse untrusted XML is vulnerable to attack #346

cclauss opened this issue Nov 24, 2017 · 6 comments · Fixed by #378

Comments

@cclauss
Copy link
Contributor

cclauss commented Nov 24, 2017

https://www.codacy.com/app/fossasia/query-server/issues says: app/server.py
Using xml.dom.minidom.parseString to parse untrusted XML data is known to be vulnerable to XML attacks. Replace xml.dom.minidom.parseString with its defusedxml equivalent function.

Line 71: xmlfeed = parseString(

I'm submitting a ...

  • bug report
  • feature request

Current behavior:

Expected behavior:

Steps to reproduce:
@starlord1311
Copy link
Contributor

can i take up this issue?

@cclauss
Copy link
Contributor Author

cclauss commented Dec 2, 2017

Yes please

@starlord1311
Copy link
Contributor

Can you tell what I am supposed to do? @cclauss

@rupav
Copy link
Member

rupav commented Dec 2, 2017

@starlord1311 you have to use a defusedxml function to do the role similar to that of xml.dom.minidom.parseString because the latter is not a safe choice , susceptible to different threats (eg. billion laughs attack )

@cclauss
Copy link
Contributor Author

cclauss commented Dec 2, 2017

Agreed...

  1. add defusedxml to requirements.txt
  2. use the parseString() in https://pypi.python.org/pypi/defusedxml#defusedxml-minidom instead of the standard library version.

@shaddygarg
Copy link
Member

@starlord1311, you working on this?

@cclauss cclauss mentioned this issue Dec 8, 2017
Merged
3 tasks
starlord1311 pushed a commit to starlord1311/query-server that referenced this issue Dec 11, 2017
@bhaveshAn @starlord1311
Fixes fossasia#346 added defusedxml to server.py
c3411d1 
Lookup scrapers by name, not by initial (fossasia#327)

Add support for Python 3 (fossasia#343)

Fixes fossasia#357 Add Mojeek in README (fossasia#358)

Lookup scrapers by name, not by initial (fossasia#327)

Fixes fossasia#357 Add Mojeek in README (fossasia#358)

Lookup scrapers by name, not by initial (fossasia#327)

changesmade to server.py to prevent XML attacks

defusedxml
vaibhavsingh97 pushed a commit that referenced this issue Dec 11, 2017
@starlord1311 @vaibhavsingh97
Fixes #346 added defusedxml to server.py (#378)
831b7cf
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

changesmade to server.py to prevent XML attacks issue #346 starlord1311/query-server
4 participants
@cclauss @rupav @shaddygarg @starlord1311