[CVE-2020-27197] Avoid SSRF on parsing XML #247

orsinium · 2020-10-16T12:40:18Z

What

Add alllow_url=False option for parse. If it is False, the function checks that the passed string has no URL scheme specified.
Add allow_path=True option for parse. If it is False, use etree.fromstring instead of etree.parse.
Explicitly specify the allow_path value for every call of parse.

Tests are included.

Closes #246

orsinium · 2020-10-19T08:55:59Z

Tested on our staging environment, the fix seems to be working as expected.

emmanvg

Thanks for confirming the fix @orsinium.

orsinium added 4 commits October 16, 2020 12:23

avoid loading files in some cases

e8918f0

use from_string if no URL allowed

3c980ed

check if no protocol specified

d207cc2

provide a few simple tests

587d180

orsinium changed the title ~~Avoid SSRF on parsing XML~~ [CVE-2020-27197] Avoid SSRF on parsing XML Oct 19, 2020

emmanvg added this to the libtaxii 1.1.118 milestone Oct 19, 2020

emmanvg approved these changes Oct 19, 2020

View reviewed changes

emmanvg merged commit 23c6f7b into TAXIIProject:master Oct 19, 2020

orsinium deleted the fix-ssrf branch October 19, 2020 13:49

mrginglymus mentioned this pull request Jun 3, 2021

#247 breaks libtaxii on windows #252

Open

haby0 mentioned this pull request Feb 28, 2022

[Python]: Add Server-side Request Forgery sinks github/securitylab#545

Closed

2 tasks