[try] fix possible XXE vulnerabilities#10193
Open
wwwww127 wants to merge 2 commits intoRT-Thread:masterfrom
Open
[try] fix possible XXE vulnerabilities#10193wwwww127 wants to merge 2 commits intoRT-Thread:masterfrom
wwwww127 wants to merge 2 commits intoRT-Thread:masterfrom
Conversation
The original code may have had an XXE vulnerability, which is now fixed
The original code may have had an XXE vulnerability, which is now largely fixed.
|
|
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR aims to mitigate potential XXE vulnerabilities in the XML parsing by switching from the standard ElementTree parser to defusedxml's secure parse function.
- Replace the usage of etree.parse with defusedxml.ElementTree.parse.
- Introduce additional imports to handle the revised parsing and exception handling.
Comment on lines
+91
to
+92
| # tree = etree.parse('template_vs2005.vcproj') | ||
| tree = parse('template_vs2005.vcproj', forbid_dtd=False, forbid_external=True) |
There was a problem hiding this comment.
The commented-out legacy parsing code may lead to confusion; consider removing it if it's no longer needed.
Suggested change
| # tree = etree.parse('template_vs2005.vcproj') | |
| tree = parse('template_vs2005.vcproj', forbid_dtd=False, forbid_external=True) | |
|
|
||
| tree = etree.parse('template_vs2005.vcproj') | ||
| # tree = etree.parse('template_vs2005.vcproj') | ||
| tree = parse('template_vs2005.vcproj', forbid_dtd=False, forbid_external=True) |
There was a problem hiding this comment.
The current configuration allows DTDs (forbid_dtd=False) which may still enable XXE attacks; if the intent is to fully mitigate XXE vulnerabilities, consider setting forbid_dtd to True.
Suggested change
| tree = parse('template_vs2005.vcproj', forbid_dtd=False, forbid_external=True) | |
| tree = parse('template_vs2005.vcproj', forbid_dtd=True, forbid_external=True) |
Member
|
这涉及到漏洞层面的修改,针对的是Python脚本,还不知道影响面有多大。 @Rbb666 是否可以帮看看,或做些验证。而因为目前 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
拉取/合并请求描述:(PR description)
[
为什么提交这份PR (why to submit this PR)
The original code is subject to XXE attacks.
你的解决方案是什么 (what is your solution)
Add:
from defusedxml.ElementTree import parsefrom defusedxml.common import DefusedXmlExceptionModified to:
tree = parse('template_vs2005.vcproj', forbid_dtd=False, forbid_external=True)当前拉取/合并请求的状态 Intent for your PR
必须选择一项 Choose one (Mandatory):
代码质量 Code Quality:
我在这个拉取/合并请求中已经考虑了 As part of this pull request, I've considered the following:
#if 0代码,不包含已经被注释了的代码 All redundant code is removed and cleaned up