Fix code scanning alert no. 442: Resolving XML external entity in user-controlled data #1078
Conversation
…r-controlled data Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
@al-niessner can you review this to make sure it makes sense to you? |
There was a problem hiding this comment.
The code makes sense. What does not make sense is why. The user is just processing their own data on their own machine. It is not like there is some weird injection going from a user clicking on a funky link (phishing). In other words, they could blow up their machine by injecting malicious code or they could just take a hammer to it. Hammer seems more direct and likely than some convoluted XXE. Probably never even realize XXE was an option, but this code will force the hammer approach.
|
@al-niessner I agree with the why, but, in the future, if validate is deployed under the hood of some web app, this could potentially eliminate a risk. |
Fixes https://github.com/NASA-PDS/validate/security/code-scanning/442
To fix the problem, we need to disable external entity resolution in the
TransformerFactoryused in theSchematronTransformerclass. This can be done by setting specific features on theTransformerFactoryinstance to disallow DTDs and external entities. This will prevent XXE attacks by ensuring that the XML parser does not process external entities.The changes should be made in the
buildIsoTransformermethod of theSchematronTransformerclass. We will set the necessary features on theTransformerFactoryinstance to secure it against XXE attacks.Suggested fixes powered by Copilot Autofix. Review carefully before merging.