You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm having a look at the source code and dasbus/xml.py caught my attention. xml.etree.ElementTree and xml.dom.minidom are being imported and used without checking the validity of the xml passed to them. Therefore, in case a malicious xml is passed to them it can cause problems such as crashing the server.
Also, I believe this will not have a security implication since if an attacker gains access to the server code they don't need this issue! And the code is not accessible from the client side either. Having said that, I wanted let you know about this issue and ask if you could possibly address it. Thanks.
Here's a quick example by changing a couple of lines in the hello world example in the project that would show the issue.
#
# Run the service org.example.HelloWorld.
#
from dasbus.loop import EventLoop
from dasbus.server.interface import dbus_interface
from dasbus.typing import Str
from common import HELLO_WORLD, SESSION_BUS
from dasbus.xml import XMLGenerator
# Amir added the following variable:
xml_str = '''<?xml version="1.0"?>
<!DOCTYPE bomb [
<!ENTITY a "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;">
]>
<bomb>&a;</bomb>
'''
@dbus_interface(HELLO_WORLD.interface_name)
class HelloWorld(object):
"""The DBus interface for HelloWorld."""
def Hello(self, name: Str) -> Str:
"""Generate a greeting.
:param name: someone to say hello
:return: a greeting
"""
return "Hello {}!".format(name)
if __name__ == "__main__":
# Print the generated XML specification.
# print(XMLGenerator.prettify_xml(HelloWorld.__dbus_xml__))
# Amir added the following line:
print(XMLGenerator.prettify_xml(xml_str))
try:
# Create an instance of the class HelloWorld.
hello_world = HelloWorld()
# Publish the instance at /org/example/HelloWorld.
SESSION_BUS.publish_object(HELLO_WORLD.object_path, hello_world)
# Register the service name org.example.HelloWorld.
SESSION_BUS.register_service(HELLO_WORLD.service_name)
# Start the event loop.
loop = EventLoop()
loop.run()
finally:
# Unregister the DBus service and objects.
SESSION_BUS.disconnect()
The text was updated successfully, but these errors were encountered:
I'm having a look at the source code and
dasbus/xml.pycaught my attention.xml.etree.ElementTreeandxml.dom.minidomare being imported and used without checking the validity of thexmlpassed to them. Therefore, in case a malicious xml is passed to them it can cause problems such as crashing the server.Also, I believe this will not have a security implication since if an attacker gains access to the server code they don't need this issue! And the code is not accessible from the client side either. Having said that, I wanted let you know about this issue and ask if you could possibly address it. Thanks.
Here's a quick example by changing a couple of lines in the hello world example in the project that would show the issue.
The text was updated successfully, but these errors were encountered: