Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Double-quotes cause errors in xpath #63

Open
mccalluc opened this issue Apr 24, 2015 · 2 comments
Open

Double-quotes cause errors in xpath #63

mccalluc opened this issue Apr 24, 2015 · 2 comments

Comments

@mccalluc
Copy link

At https://github.com/projecthydra/om/blob/master/lib/om/xml/term_value_operators.rb#L168, OM trusts that the template will not contain a double-quote. If it does...

require "om"
class MockMetadata
  include OM::XML::Document
  set_terminology do |t|
    t.root(path: 'fields')
    t.title(path: '//title[@attr=";puts %q{I can inject ruby here!}; exit;"]')
  end
  def self.xml_template
    Nokogiri::XML.parse("<fields/>")
  end
end

newdoc = MockMetadata.new
newdoc.title = 'test'
$ ruby test.rb
I can inject ruby here!

That double quotes are not allowed is not immediately obvious. We see it being done at https://github.com/projecthydra-labs/hydradam/blob/master/app/models/datastreams/import_pbcore_datastream.rb#L10

At the root, this is another symptom of the same problem described in #11.
@jcoyne
Copy link
Contributor

jcoyne commented Apr 24, 2015

Yep, that eval stuff is the devil. Somebody should remove it.

@atz
Copy link
Contributor

atz commented May 27, 2015

Very evil. Purify with fire.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jcoyne @atz @mccalluc