XML security #22
Comments
|
We use lxml, not the Python standard library's parser. But I do see in the defusedxml README that it has some vulnerabilities. We do pass the lxml.etree document root to the user's callback function, so switching to a different parser would be an API change. Which of the mitigations in defusedxml can we apply without switching parsers? Which is lxml permanently vulnerable to? |
|
Unfortunately I do not have experience nor expertise in XML parsing and vulnerability mitigation. I do see that the
The relevant code seems to revolve around this function: I assume the actual risk is low, considering that the organizations generating the VOEvent notices are unlikely to send malicious XML documents, but perhaps someone that has the time and energy to tackle this will see this issue and make it more secure. |
The problem is that GCN has no protection against MITM attacks, because it does not have any message authentication. The network traffic is sent in the clear and without signatures of any kind. An attacker could inject maliciously crafted VOEvent packets. |
|
@manning-ncsa, would you like to submit a PR to implement the mitigation described in that |
😲
I suppose in light of your previous comment I have more of a self-interest in doing so. If I do implement anything like that, I will definitely submit a PR. |
First of all, thanks for creating and sharing this Python package. While exploring the code and beginning to write our own handler function, I noticed that according to the Python docs, there are XML vulnerabilities that should probably be secured using something like defusedxml. Have you considered using this package to parse the incoming packets?
The text was updated successfully, but these errors were encountered: