Security Vulnerability in oval_scanner.py for xml parsing library

Question

Security Vulnerability in oval_scanner.py for xml parsing library

goravsingal opened this issue 4 years ago · 7 comments

In a security exercise, this issue is found.

Details
File: oval_scanner.py
Vulnerable library: xml.etree.ElementTree
The exact message
It was observed that the product is vulnerable to XML injection and XML external entity attacks due to absence of XML input validation. A successful exploitation of these attacks can lead to unauthorized execution of commands and information disclosure.

Code in question

def build_element_tree(source_content):
    """Build an element tree from source content"""
    logging.debug('build_element_tree')
    return ET.fromstring(source_content)

@buddwm Can you please check this issue?
In various articles, it was advised to switch over to another library: defusedxml

Answer 1 · 2020-10-08T15:07:28.000Z

I can check this. We can probably merge this into the PR I opened for updates to the oval_scanner.py script as I'm doing a lot of re-writes.

Answer 2 · 2020-10-09T10:34:14.000Z

Definitely. Thanks

Answer 3 · 2020-11-09T07:34:14.000Z

@buddwm Any idea when you will pick this?

Answer 4 · 2020-11-10T15:07:54.000Z

@goravsingal I have limited time this month, and adding to the fact that the PR I submitted calls for some re-writes, I expect to have something probably by the end of this month or beginning of December.

Answer 5 · 2020-11-12T11:33:38.000Z

Thanks for the update.

Answer 6 · 2020-12-08T18:52:49.000Z

@buddwm When do you plan to fix the security issue mentioned by Gorav?

Answer 7 · 2020-12-22T17:45:30.000Z

I am waiting on a fix for defusedxml as outlined here:
tiran/defusedxml#48

I use the Element class to verify the objects getting parsed. Without this, we can have unpredictable results.

As a workaround, we can do
from xml.etree.ElementTree import Element

If this is acceptable I can put in the workaround and we still parse the XML with defusedxml.