kamp/fdroidserver
1
0
Fork 0
mirror of https://gitlab.com/fdroid/fdroidserver.git synced 2024-11-19 21:30:10 +01:00
Code Activity

use defusedxml to avoid DoS attacks while loading XML

Browse Source
This commit is contained in:
Hans-Christoph Steiner 2018-08-29 17:27:04 +02:00
parent cc94ebca30
commit 4d13a904f3
4 changed files with 10 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
fdroidserver/btlog.py
View File

@ -28,6 +28,7 @@
import collections import collections
import defusedxml.minidom
import git import git
import glob import glob
import os import os
@ -36,7 +37,6 @@ import logging
import requests import requests
import shutil import shutil
import tempfile import tempfile
import xml.dom.minidom
import zipfile import zipfile
from argparse import ArgumentParser from argparse import ArgumentParser
@ -94,7 +94,7 @@ For more info on this idea:
continue continue
dest = os.path.join(cpdir, f) dest = os.path.join(cpdir, f)
if f.endswith('.xml'): if f.endswith('.xml'):
doc = xml.dom.minidom.parse(repof) doc = defusedxml.minidom.parse(repof)
output = doc.toprettyxml(encoding='utf-8') output = doc.toprettyxml(encoding='utf-8')
with open(dest, 'wb') as f: with open(dest, 'wb') as f:
f.write(output) f.write(output)

3
fdroidserver/common.py
View File

@ -39,7 +39,7 @@ import base64
import zipfile import zipfile
import tempfile import tempfile
import json import json
import xml.etree.ElementTree as XMLElementTree import defusedxml.ElementTree as XMLElementTree
from binascii import hexlify from binascii import hexlify
from datetime import datetime, timedelta from datetime import datetime, timedelta
@ -74,7 +74,6 @@ STANDARD_FILE_NAME_REGEX = re.compile(r'^(\w[\w.]*)_(-?[0-9]+)\.\w+')
MAX_VERSION_CODE = 0x7fffffff # Java's Integer.MAX_VALUE (2147483647) MAX_VERSION_CODE = 0x7fffffff # Java's Integer.MAX_VALUE (2147483647)
XMLNS_ANDROID = '{http://schemas.android.com/apk/res/android}' XMLNS_ANDROID = '{http://schemas.android.com/apk/res/android}'
XMLElementTree.register_namespace('android', 'http://schemas.android.com/apk/res/android')
config = None config = None
options = None options = None

1
setup.py
View File

@ -69,6 +69,7 @@ setup(name='fdroidserver',
install_requires=[ install_requires=[
'androguard >= 3.1.0rc2', 'androguard >= 3.1.0rc2',
'clint', 'clint',
'defusedxml',
'GitPython', 'GitPython',
'mwclient', 'mwclient',
'paramiko', 'paramiko',

6
tests/common.TestCase
View File

@ -681,6 +681,12 @@ class CommonTest(unittest.TestCase):
sig = fdroidserver.common.metadata_find_developer_signature('org.smssecure.smssecure') sig = fdroidserver.common.metadata_find_developer_signature('org.smssecure.smssecure')
self.assertEqual('b30bb971af0d134866e158ec748fcd553df97c150f58b0a963190bbafbeb0868', sig) self.assertEqual('b30bb971af0d134866e158ec748fcd553df97c150f58b0a963190bbafbeb0868', sig)
def test_parse_xml(self):
manifest = os.path.join('source-files', 'fdroid', 'fdroidclient', 'AndroidManifest.xml')
parsed = fdroidserver.common.parse_xml(manifest)
self.assertIsNotNone(parsed)
self.assertEqual(str(type(parsed)), "<class 'xml.etree.ElementTree.Element'>")
def test_parse_androidmanifests(self): def test_parse_androidmanifests(self):
app = fdroidserver.metadata.App() app = fdroidserver.metadata.App()
app.id = 'org.fdroid.fdroid' app.id = 'org.fdroid.fdroid'