Fix external entities vulnerability (#35)

* Fix external entities vulnerability xml.sax is vulnerable to external entities & expansion. Take a dependency on the defusedxml module, which provides the same interface. Thanks to @KevinHock
salesforce-python-client · Nov 22, 2017 · d69a73c · d69a73c
1 parent 95d31b4
commit d69a73c
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/requirements.txt b/requirements.txt
@@ -0,0 +1 @@
+defusedxml>=0.5.0
diff --git a/setup.py b/setup.py
@@ -2,7 +2,8 @@
 from setuptools import setup
 
 setup(name='pyforce',
-    version='1.7.3', # be sure to update the version in pyforce.py too
+    version='1.8.0',
+    install_requires=['defusedxml>=0.5.0'],
     package_dir={'': 'src'},
     packages=['pyforce'],
     author = "Simon Fell et al.  reluctantly Forked by idbentley",

diff --git a/src/pyforce/xmltramp.py b/src/pyforce/xmltramp.py
@@ -1,8 +1,9 @@
 """xmltramp: Make XML documents easily accessible."""
 
+import defusedxml
 from xml.sax.handler import EntityResolver, DTDHandler, ContentHandler,\
     ErrorHandler
-from xml.sax import make_parser
+from defusedxml.sax import make_parser
 from xml.sax.handler import feature_namespaces
 
 __version__ = "2.18"
@@ -475,5 +476,28 @@ def unittest():
         '<a xmlns="http://a"><b xmlns="http://b"/></a>'
     ).__repr__(1) == '<a xmlns="http://a"><b xmlns="http://b"></b></a>'
 
+    # This uses internal entities to DoS vulnerable XML parsers
+    evil_xml = """<?xml version="1.0"?>
+        <!DOCTYPE lolz [
+         <!ENTITY lol "lol">
+         <!ELEMENT lolz (#PCDATA)>
+         <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+         <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
+         <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+         <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+         <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
+         <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
+         <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
+         <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
+         <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
+        ]>
+        <lolz>&lol9;</lolz>"""
+    try:
+        assert parse(evil_xml)
+        # It never gets here and instead raises a defusedxml.common.EntitiesForbidden exception
+        assert False
+    except defusedxml.common.EntitiesForbidden:
+        assert True
+
 if __name__ == '__main__':
     unittest()