Skip to content

SweetXml inline DTD vulnerability #781

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dbernheisel opened this issue Apr 28, 2021 · 6 comments
Closed

SweetXml inline DTD vulnerability #781

dbernheisel opened this issue Apr 28, 2021 · 6 comments

Comments

@dbernheisel
Copy link
Contributor

Environment

  • Elixir & Erlang versions: Elixir 1.10.4-otp-22
  • ExAws version: ex_aws 2.1.6 and ex_aws_s3 2.1.0
  • HTTP client version: hackney 1.16.0
  • SweetXML version: 0.6.6

Current behavior

There is a possibility of an attack via XML parsing. Trusted sources such as AWS responses may not be a high risk, but I'm unaware of this parser is used for any user-sourced XML. Either way it may be prudent to limit DTD parsing to known sources or to ignore DTD.

Relevant issue in SweetXML: kbrw/sweet_xml#71

Expected behavior

The proposed fix from SweetXML is not yet released. It may be released in v0.7.0 after testing. (0.6.6 is the current version at this time).

When it's released, it may be good for ./lib/ex_aws/operation/query/parser.ex to explicitly parse the response XML and turn off DTD parsing, instead of implicitly parsing via xpath/2. Currently ExAws calls SweetXml.xpath which does not offer passing through options to parse (that I see anyway)

For example with SweetXML on v0.7.0-rc.1:

parsed_body =
  xml
  |> SweetXml.parse(dtd: :none)
  |> SweetXml.xpath(
    ~x"//ErrorResponse",
    request_id: ~x"./RequestId/text()"s,
    type: ~x"./Error/Type/text()"s,
    code: ~x"./Error/Code/text()"s,
    message: ~x"./Error/Message/text()"s,
    detail: ~x"./Error/Detail/text()"s
  )

This should avoid DTD bombing from Amazon :)
@bernardd
Copy link
Contributor

Sounds good, thanks @dbernheisel. I'll keep an eye out for the release.

@nathany-copia
Copy link

SweetXml 0.7.0 is released (0.7.1 even):

kbrw/sweet_xml#71 (comment)

https://github.com/kbrw/sweet_xml/blob/master/CHANGELOG.md

@bernardd
Copy link
Contributor

bernardd commented Sep 8, 2021

Thanks @andrevdm - I've bumped the minimum version in mix.exs

@dbernheisel
Copy link
Contributor Author

Just want to point out that using the newer version doesn't cover the issue, I think you'd have to specify options as well to avoid DTD bombing.

@bernardd
Copy link
Contributor

bernardd commented Sep 8, 2021

Ah, dang, thanks @dbernheisel. I get it now. Just give me a moment here :)

bernardd added a commit that referenced this issue Sep 8, 2021
@bernardd
Disable DTD parsing in XML
cf5dbcb 
Properly resolves #781
@bernardd
Copy link
Contributor

bernardd commented Sep 8, 2021

There we go, that should do it cf5dbcb#diff-cc3c9ea16b7b52b9ec61704993ac4e46bd0d6403262214c48635973cd903757d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bernardd @dbernheisel @nathany-copia