[Backport 4.1.x] [Fixes #10462] GeoNode is vulnerable to an XML External Entity (XXE) injection

geonode/geoserver/helpers.py

@@ -238,7 +238,7 @@ def extract_name_from_sld(gs_catalog, sld, sld_file=None):
                     sld = sld_file.read()
             if isinstance(sld, str):
                 sld = sld.encode('utf-8')
-            dom = etree.XML(sld)
+            dom = etree.XML(sld, parser=etree.XMLParser(resolve_entities=False))
         elif sld_file and isfile(sld_file):
             with open(sld_file, "rb") as sld_file:
                 sld = sld_file.read()
@@ -378,7 +378,7 @@ def set_dataset_style(saved_dataset, title, sld, base_file=None):
             elif isinstance(sld, str):
                 sld = sld.strip('b\'\n')
                 sld = re.sub(r'(\\r)|(\\n)', '', sld).encode("UTF-8")
-            etree.XML(sld)
+            etree.XML(sld, parser=etree.XMLParser(resolve_entities=False))
         elif base_file and isfile(base_file):
             with open(base_file, "rb") as sld_file:
                 sld = sld_file.read()

geonode/geoserver/tests/test_helpers.py

@@ -28,7 +28,10 @@
 from geonode.decorators import on_ogc_backend
 from geonode.tests.base import GeoNodeBaseTestSupport
 from geonode.geoserver.views import _response_callback
-from geonode.geoserver.helpers import get_dataset_storetype
+from geonode.geoserver.helpers import (
+    gs_catalog,
+    get_dataset_storetype,
+    extract_name_from_sld)
 from geonode.layers.populate_datasets_data import create_dataset_data
 
 from geonode.geoserver.ows import (
@@ -71,6 +74,19 @@ def setUp(self):
         self.passwd = 'admin'
         create_dataset_data()
 
+    @on_ogc_backend(geoserver.BACKEND_PACKAGE)
+    def test_extract_name_from_sld(self):
+        content = """<?xml version="1.0" standalone="yes"?>
+<!DOCTYPE foo [ <!ENTITY ent SYSTEM "/etc/passwd" > ]>
+<foo xmlns="http://www.opengis.net/sld">
+<NamedLayer>
+    <UserStyle>
+        <Name>&ent;</Name>
+    </UserStyle>
+</NamedLayer>
+</foo>"""
+        self.assertIsNone(extract_name_from_sld(gs_catalog, content))
+
     @on_ogc_backend(geoserver.BACKEND_PACKAGE)
     def test_replace_callback(self):
         content = f"""<Layer>

geonode/geoserver/views.py

@@ -179,7 +179,7 @@ def respond(*args, **kw):
                 if isfile(sld):
                     with open(sld) as sld_file:
                         sld = sld_file.read()
-                etree.XML(sld)
+                etree.XML(sld, parser=etree.XMLParser(resolve_entities=False))
         except Exception:
             logger.exception("The uploaded SLD file is not valid XML")
             raise Exception(
@@ -799,7 +799,7 @@ def get_capabilities(request, layerid=None, user=None,
                     }
                     gc_str = tpl.render(ctx)
                     gc_str = gc_str.encode("utf-8", "replace")
-                    layerelem = etree.XML(gc_str)
+                    layerelem = etree.XML(gc_str, parser=etree.XMLParser(resolve_entities=False))
                     rootdoc = etree.ElementTree(layerelem)
             except Exception as e:
                 import traceback