Skip to content

/ pysaml2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce xml_safe as a module to control xml opearations #498

Open
wants to merge 1 commit into
base: master
from
Open

Introduce xml_safe as a module to control xml opearations #498

wants to merge 1 commit into from

Conversation

@c00kiemon5ter
Copy link
Member

@c00kiemon5ter c00kiemon5ter commented Mar 1, 2018

This is related to CVE-2017-11427 and VU#475445
Related issues: #496, #497
Reported by duo through this blog post

pysaml2 is not affected, as, by default, the xml.etree.ElementTree and xml.etree.cElementTree parsers ignore comment nodes. However, this commit makes sure that the ElementTree being used is set correctly through defusexml lib and centralizes the control of which functions are exposed and available for usage in the code. Any code that needs a function to parse, modify or serialize XML should be obtained through the xml_safe module. The new module asks defusexml to provide the function and if it is not available it will fallback to the one provided by xml.etree.cElementTree. This is a guarantee that functions like parse, fromstring et al are provided by defusexml lib.

All Submissions:

  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Have you added an explanation of what problem you are trying to solve with this PR?
  • Have you added information on what your changes do and why you chose this as your solution?
  • Have you written new tests for your changes?
  • Does your submission pass tests?
  • This project follows PEP8 style guide. Have you run your code against the 'flake8' linter?

I am putting this here mostly to get feedback and I will soon add tests and reformat this PR to match the problem/solution format that the template suggests.
@c00kiemon5ter c00kiemon5ter force-pushed the c00kiemon5ter:fix-ensure-xml-safe-operations branch 2 times, most recently from 88d3a90 to 1845dd7 Mar 2, 2018
@Plazmaz
Copy link

@Plazmaz Plazmaz commented Mar 2, 2018
edited

Would it be worth printing a warning if defusedxml isn't used?
EDIT: Whoops, never mind
@c00kiemon5ter
Introduce xml_safe as a module to control xml opearations
Loading status checks…
ab34e7c 
This is related to CVE-2017-11427[0] and VU#475445[1]
Related issues: #496 #497
Reported by duo[2] through this blog post[3]

pysaml2 is not affected, as, by default, the xml.etree.ElementTree and
xml.etree.cElementTree parsers ignore comments. However, this commit
makes sure that the ElementTree being used is set correctly through
defusexml lib and centralizes the control of which functions are exposed
and available for usage in the code. Any code that needs a function to
parse, modify or serialize XML should be obtain through the xml_safe
module. The new module asks defusexml to provide the function and if it
is not available it will fallback to the one provided by
xml.etree.cElementTree. This is a guarantee that functions like parse,
fromstring et al are provided by defusexml lib.

  [0]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11427
  [1]: https://www.kb.cert.org/vuls/id/475445
  [2]: https://duo.com
  [3]: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
@c00kiemon5ter c00kiemon5ter force-pushed the c00kiemon5ter:fix-ensure-xml-safe-operations branch from 1845dd7 to ab34e7c Mar 3, 2018
@c00kiemon5ter c00kiemon5ter mentioned this pull request May 25, 2018
Merged
6 of 6 tasks complete
@c00kiemon5ter c00kiemon5ter mentioned this pull request Jun 4, 2018
Closed
4 of 6 tasks complete
@marcpare marcpare mentioned this pull request Jun 5, 2018
Closed
@c00kiemon5ter c00kiemon5ter self-assigned this Aug 3, 2018
@erakli
Copy link

@erakli erakli commented Nov 20, 2018

I wonder, why this PR still not merged?
@c00kiemon5ter
Copy link
Member Author

@c00kiemon5ter c00kiemon5ter commented Nov 20, 2018

Caught up into other aspects. This is not ready, it's just a start. Ideally we should not need to rely on defusedxml.
@erakli
Copy link

@erakli erakli commented Nov 20, 2018

And what alternative can you propose?
@Plazmaz
Copy link

@Plazmaz Plazmaz commented Nov 20, 2018
edited

Why is defusedxml not an option? It addresses several security concerns present in python's standard parser. I think falling back onto standard xml or another library is a good option, but I still think using defusedxml by default is preferable.
@c00kiemon5ter
Copy link
Member Author

@c00kiemon5ter c00kiemon5ter commented Nov 22, 2018

defusedxml is the current choice and works with the builtin xml parser. Going forward, we will most probably switch to lxml and want to have control over the XML parser behaviour. Needed security options from defusedxml will be incorporated. However, defusedxml doesn't seem to be very active and the lxml wrapper has known issues - also see tiran/defusedxml#15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@c00kiemon5ter c00kiemon5ter

Labels
None yet
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
@c00kiemon5ter @Plazmaz @erakli
You can’t perform that action at this time.