Description
I encountered an issue in the threatlib where the threat definition for "DO04" causes an exception when used with a Dataflow whose data.format is set to "XML".
The problem occurs because the threat’s condition references the property handlesResources, which is not defined for Dataflow objects.
As soon as the first part of the condition evaluates to True, PyTM attempts to check target.handlesResources and fails.
Threat definition causing the issue
{
"SID": "DO04",
"target": [
"Dataflow"
],
"description": "XML Entity Expansion",
"details": "An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.",
"Likelihood Of Attack": "High",
"severity": "Medium",
"condition": "any(d.format == 'XML' for d in target.data) and target.handlesResources is False",
"prerequisites": "...",
"mitigations": "...",
"example": "...",
"references": "..."
}Steps to reproduce
Using the latest master branch, the issue can be reproduced with:
from pytm.pytm import Data, Server, Dataflow
data_1 = Data("Test_1", format='XML')
server_1 = Server("Server_1")
server_2 = Server("Server_2")
dataflow_1 = Dataflow(
"Test_2",
data=data_1,
source=server_1,
sink=server_2
)
Workaround
I temporarily resolved the issue by removing the second condition from "DO04" in threats.json, but this is only a local fix.
Environment
- OS: Windows
- Python: 3.11.6
- PyTM: latest master
- Threatlib source: default threats.json in repo
Description
I encountered an issue in the
threatlibwhere the threat definition for "DO04" causes an exception when used with aDataflowwhosedata.formatis set to"XML".The problem occurs because the threat’s
conditionreferences the propertyhandlesResources, which is not defined forDataflowobjects.As soon as the first part of the condition evaluates to
True, PyTM attempts to checktarget.handlesResourcesand fails.Threat definition causing the issue
{ "SID": "DO04", "target": [ "Dataflow" ], "description": "XML Entity Expansion", "details": "An attacker submits an XML document to a target application where the XML document uses nested entity expansion to produce an excessively large output XML. XML allows the definition of macro-like structures that can be used to simplify the creation of complex structures. However, this capability can be abused to create excessive demands on a processor's CPU and memory. A small number of nested expansions can result in an exponential growth in demands on memory.", "Likelihood Of Attack": "High", "severity": "Medium", "condition": "any(d.format == 'XML' for d in target.data) and target.handlesResources is False", "prerequisites": "...", "mitigations": "...", "example": "...", "references": "..." }Steps to reproduce
Using the latest master branch, the issue can be reproduced with:
Workaround
I temporarily resolved the issue by removing the second condition from "DO04" in threats.json, but this is only a local fix.
Environment