[tryton-commits] changeset in trytond:6.2 Protect against XML vulnerabilities

Tue, 01 Mar 2022 10:59:29 -0800 

changeset 2ef295408a0b in trytond:6.2
details: https://hg.tryton.org/trytond?cmd=changeset&node=2ef295408a0b
description:
        Protect against XML vulnerabilities

        issue11219
        issue11244
        (grafted from a64ca55b86e3462b5d5348c4fc8698350695b60e)
diffstat:

 CHANGELOG                   |  3 +++
 setup.py                    |  1 +
 trytond/__init__.py         |  6 ++++++
 trytond/ir/translation.py   |  4 ++--
 trytond/model/modelview.py  |  5 +++--
 trytond/protocols/xmlrpc.py |  3 +++
 6 files changed, 18 insertions(+), 4 deletions(-)

diffs (111 lines):

diff -r 30706ae6b23b -r 2ef295408a0b CHANGELOG
--- a/CHANGELOG Tue Feb 22 22:57:03 2022 +0100
+++ b/CHANGELOG Tue Mar 01 19:07:56 2022 +0100
@@ -1,3 +1,6 @@
+* Do not resolve entities by default with lxml (issue11219)
+* Use defusedxml to parse XML (issue11244)
+
 Version 6.2.5 - 2022-02-16
 * Bug fixes (see mercurial logs for details)
 
diff -r 30706ae6b23b -r 2ef295408a0b setup.py
--- a/setup.py  Tue Feb 22 22:57:03 2022 +0100
+++ b/setup.py  Tue Mar 01 19:07:56 2022 +0100
@@ -156,6 +156,7 @@
     license='GPL-3',
     python_requires='>=3.6',
     install_requires=[
+        'defusedxml',
         'lxml >= 2.0',
         'relatorio[fodt] >= 0.7.0',
         'Genshi',
diff -r 30706ae6b23b -r 2ef295408a0b trytond/__init__.py
--- a/trytond/__init__.py       Tue Feb 22 22:57:03 2022 +0100
+++ b/trytond/__init__.py       Tue Mar 01 19:07:56 2022 +0100
@@ -5,6 +5,8 @@
 import warnings
 from email import charset
 
+from lxml import etree, objectify
+
 __version__ = "6.2.6"
 
 os.environ['TZ'] = 'UTC'
@@ -16,3 +18,7 @@
 
 # set email encoding for utf-8 to 'quoted-printable'
 charset.add_charset('utf-8', charset.QP, charset.QP)
+
+# prevent XML vulnerabilities by default
+etree.set_default_parser(etree.XMLParser(resolve_entities=False))
+objectify.set_default_parser(objectify.makeparser(resolve_entities=False))
diff -r 30706ae6b23b -r 2ef295408a0b trytond/ir/translation.py
--- a/trytond/ir/translation.py Tue Feb 22 22:57:03 2022 +0100
+++ b/trytond/ir/translation.py Tue Mar 01 19:07:56 2022 +0100
@@ -1,7 +1,6 @@
 # This file is part of Tryton.  The COPYRIGHT file at the top level of
 # this repository contains the full copyright notices and license terms.
 import os
-import xml.dom.minidom
 from difflib import SequenceMatcher
 from collections import defaultdict
 from io import BytesIO
@@ -13,6 +12,7 @@
 from sql.conditionals import Case
 from sql.aggregate import Max
 
+from defusedxml.minidom import parseString
 from genshi.filters.i18n import extract as genshi_extract
 from relatorio.reporting import MIMETemplateLoader
 from relatorio.templates.opendocument import get_zip_file
@@ -959,7 +959,7 @@
                 zip_.read('content.xml'),
                 zip_.read('styles.xml'),
                 ]:
-            document = xml.dom.minidom.parseString(content_xml)
+            document = parseString(content_xml)
             for string in extract(document.documentElement):
                 yield string
 
diff -r 30706ae6b23b -r 2ef295408a0b trytond/model/modelview.py
--- a/trytond/model/modelview.py        Tue Feb 22 22:57:03 2022 +0100
+++ b/trytond/model/modelview.py        Tue Mar 01 19:07:56 2022 +0100
@@ -319,7 +319,7 @@
             if not result['arch']:
                 raise ValueError("Missing view architecture for %s" % ((
                             cls.__name__, view_id, view_type),))
-            parser = etree.XMLParser(remove_comments=True)
+            parser = etree.XMLParser(remove_comments=True, 
resolve_entities=False)
             tree = etree.fromstring(result['arch'], parser=parser)
             for view in views:
                 if view.domain:
@@ -374,7 +374,8 @@
             level = 1 if result['type'] == 'tree' else 0
 
         # Update arch and compute fields from arch
-        parser = etree.XMLParser(remove_blank_text=True)
+        parser = etree.XMLParser(
+            remove_blank_text=True, resolve_entities=False)
         tree = etree.fromstring(result['arch'], parser)
         result['arch'], result['fields'] = cls.parse_view(
             tree, result['type'], result['field_childs'], level=level)
diff -r 30706ae6b23b -r 2ef295408a0b trytond/protocols/xmlrpc.py
--- a/trytond/protocols/xmlrpc.py       Tue Feb 22 22:57:03 2022 +0100
+++ b/trytond/protocols/xmlrpc.py       Tue Mar 01 19:07:56 2022 +0100
@@ -7,6 +7,7 @@
 # convert decimal to float before marshalling:
 from decimal import Decimal
 
+import defusedxml.xmlrpc
 from werkzeug.wrappers import Response
 from werkzeug.exceptions import (
     BadRequest, InternalServerError, Conflict, Forbidden, Locked,
@@ -21,6 +22,8 @@
 
 logger = logging.getLogger(__name__)
 
+defusedxml.xmlrpc.monkey_patch()
+
 
 def dump_decimal(self, value, write):
     write('<value><bigdecimal>')

Reply via email to