-
Notifications
You must be signed in to change notification settings - Fork 282
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add some XML validation to avoid xmpsdk bugs #1878
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1878 +/- ##
==========================================
+ Coverage 60.77% 60.79% +0.01%
==========================================
Files 96 96
Lines 18887 18962 +75
Branches 9498 9516 +18
==========================================
+ Hits 11478 11527 +49
- Misses 5116 5134 +18
- Partials 2293 2301 +8
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't studied this to find out what exactly what you're doing. If you'd like me to look carefully, I'll do that on Saturday. I'm really surprised at the detail of the new errors (line/col), isn't possible to just throw "illegal token" and leave the user to figure it in more detail.
Did you write the XMLValidator class from scratch, or was it obtained from the internet?
@clanmills: The detailed error messages with line/column number are displaying the error information produced by libexpat. Those messages are probably only useful for debugging, so I'll dial them down to "INFO" level so that they aren't displayed by default. |
996a096
to
95407da
Compare
…l?id=37363 Do some basic XML validation before running the xmpsdk library to avoid bugs in xmpsdk.
c8eefdb
to
b35cc5f
Compare
327b06e
to
5703dbc
Compare
@clanmills: Do you think this is ok to merge? Also, do you think we should backport it to 0.27-maintenance? (It's fixes a stack overflow due to unbounded recursion, so it's a relatively mild denial of service vulnerability.) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apologies for not reading your messages. I saw the emails about this and wrongly thought "I'm not involved". Thanks for pinging me on the chat-server. Correct move.
Good work on class XMLValidator
. Looks sensible to me. It's a pity expat doesn't deal with this. I wonder if somebody can cause an infinite loop of XML attributes.
And thank you for "dialing down" the message level.
Let's hope your optimism about closing similar reports is well judged and calm returns.
@Mergifyio backport 0.27-maintenance |
Command
|
Add some XML validation to avoid xmpsdk bugs (backport #1878)
Fixes: #1877
Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37363
Add an XML validation pass to check that the XML is valid, before calling the xmpsdk library. This should help to avoid bugs in xmpsdk. #1877 is a stack overflow, caused by a deeply nested XML tree, so the validator checks that the tree isn't too deep. (Currently set to a maximum depth of 1000 - that might need to be tweaked.)