use defusedxml to avoid DoS attacks while loading XML

2018-08-29 17:27:04 +02:00 · 2018-08-29 17:27:04 +02:00 · 4d13a904f3
parent cc94ebca30
commit 4d13a904f3
4 changed files with 10 additions and 4 deletions
--- a/fdroidserver/btlog.py
+++ b/fdroidserver/btlog.py
@ -28,6 +28,7 @@


 import collections
+import defusedxml.minidom
 import git
 import glob
 import os
@ -36,7 +37,6 @@ import logging
 import requests
 import shutil
 import tempfile
-import xml.dom.minidom
 import zipfile
 from argparse import ArgumentParser

@ -94,7 +94,7 @@ For more info on this idea:
                continue
            dest = os.path.join(cpdir, f)
            if f.endswith('.xml'):
-                doc = xml.dom.minidom.parse(repof)
+                doc = defusedxml.minidom.parse(repof)
                output = doc.toprettyxml(encoding='utf-8')
                with open(dest, 'wb') as f:
                    f.write(output)
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -39,7 +39,7 @@ import base64
 import zipfile
 import tempfile
 import json
-import xml.etree.ElementTree as XMLElementTree
+import defusedxml.ElementTree as XMLElementTree

 from binascii import hexlify
 from datetime import datetime, timedelta
@ -74,7 +74,6 @@ STANDARD_FILE_NAME_REGEX = re.compile(r'^(\w[\w.]*)_(-?[0-9]+)\.\w+')
 MAX_VERSION_CODE = 0x7fffffff  # Java's Integer.MAX_VALUE (2147483647)

 XMLNS_ANDROID = '{http://schemas.android.com/apk/res/android}'
-XMLElementTree.register_namespace('android', 'http://schemas.android.com/apk/res/android')

 config = None
 options = None
--- a/setup.py
+++ b/setup.py
@ -69,6 +69,7 @@ setup(name='fdroidserver',
      install_requires=[
          'androguard >= 3.1.0rc2',
          'clint',
+          'defusedxml',
          'GitPython',
          'mwclient',
          'paramiko',
--- a/tests/common.TestCase
+++ b/tests/common.TestCase
@ -681,6 +681,12 @@ class CommonTest(unittest.TestCase):
        sig = fdroidserver.common.metadata_find_developer_signature('org.smssecure.smssecure')
        self.assertEqual('b30bb971af0d134866e158ec748fcd553df97c150f58b0a963190bbafbeb0868', sig)

+    def test_parse_xml(self):
+        manifest = os.path.join('source-files', 'fdroid', 'fdroidclient', 'AndroidManifest.xml')
+        parsed = fdroidserver.common.parse_xml(manifest)
+        self.assertIsNotNone(parsed)
+        self.assertEqual(str(type(parsed)), "<class 'xml.etree.ElementTree.Element'>")
+
    def test_parse_androidmanifests(self):
        app = fdroidserver.metadata.App()
        app.id = 'org.fdroid.fdroid'