Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden XML parsing #382

Open
jsegitz opened this issue Nov 26, 2020 · 3 comments
Open

Harden XML parsing #382

jsegitz opened this issue Nov 26, 2020 · 3 comments

Comments

@jsegitz
Copy link

jsegitz commented Nov 26, 2020

Orignal report: https://bugzilla.suse.com/show_bug.cgi?id=1143658

This module parse potentially untrusted XML. Without precautions this can result in DoS, network connections to machines in the internal network etc. For details please see the description in the bug
@jsegitz
Copy link
Author

jsegitz commented Nov 26, 2020

Also https://bugzilla.suse.com/show_bug.cgi?id=1143656

@adrianschroeter
Copy link
Member

the network protection is handled in the network setup of build.opensuse.org server.
Not sure how any generic filtering of host names would look alike...

@jsegitz
Copy link
Author

jsegitz commented Mar 16, 2022

there are xml parsers that prevent the issues in the first place, lxml is unfortunately not really good here. So if we don't specifically need this we could move to a different parser that is better in this regard. The "real" protection comes from the network setup, but it would still be nice to use a better XML parser

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adrianschroeter @jsegitz