From 2fdfe919f299b21f1609bf898f9dcfde58770ac0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 22 Dec 2022 11:05:42 +0100 Subject: [PATCH] [Fixes #10462] GeoNode is vulnerable to an XML External Entity (XXE) injection (#10463) (#10467) Co-authored-by: Alessio Fabiani --- geonode/geoserver/helpers.py | 4 ++-- geonode/geoserver/tests/test_helpers.py | 18 +++++++++++++++++- geonode/geoserver/views.py | 4 ++-- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/geonode/geoserver/helpers.py b/geonode/geoserver/helpers.py index ba235b0dce6..bee9a103fdc 100755 --- a/geonode/geoserver/helpers.py +++ b/geonode/geoserver/helpers.py @@ -238,7 +238,7 @@ def extract_name_from_sld(gs_catalog, sld, sld_file=None): sld = sld_file.read() if isinstance(sld, str): sld = sld.encode('utf-8') - dom = etree.XML(sld) + dom = etree.XML(sld, parser=etree.XMLParser(resolve_entities=False)) elif sld_file and isfile(sld_file): with open(sld_file, "rb") as sld_file: sld = sld_file.read() @@ -378,7 +378,7 @@ def set_dataset_style(saved_dataset, title, sld, base_file=None): elif isinstance(sld, str): sld = sld.strip('b\'\n') sld = re.sub(r'(\\r)|(\\n)', '', sld).encode("UTF-8") - etree.XML(sld) + etree.XML(sld, parser=etree.XMLParser(resolve_entities=False)) elif base_file and isfile(base_file): with open(base_file, "rb") as sld_file: sld = sld_file.read() diff --git a/geonode/geoserver/tests/test_helpers.py b/geonode/geoserver/tests/test_helpers.py index bd49c202700..228324f9b79 100644 --- a/geonode/geoserver/tests/test_helpers.py +++ b/geonode/geoserver/tests/test_helpers.py @@ -28,7 +28,10 @@ from geonode.decorators import on_ogc_backend from geonode.tests.base import GeoNodeBaseTestSupport from geonode.geoserver.views import _response_callback -from geonode.geoserver.helpers import get_dataset_storetype +from geonode.geoserver.helpers import ( + gs_catalog, + get_dataset_storetype, + extract_name_from_sld) from geonode.layers.populate_datasets_data import create_dataset_data from geonode.geoserver.ows import ( @@ -71,6 +74,19 @@ def setUp(self): self.passwd = 'admin' create_dataset_data() + @on_ogc_backend(geoserver.BACKEND_PACKAGE) + def test_extract_name_from_sld(self): + content = """ + ]> + + + + &ent; + + +""" + self.assertIsNone(extract_name_from_sld(gs_catalog, content)) + @on_ogc_backend(geoserver.BACKEND_PACKAGE) def test_replace_callback(self): content = f""" diff --git a/geonode/geoserver/views.py b/geonode/geoserver/views.py index 4be9b87619f..642dcf0a956 100644 --- a/geonode/geoserver/views.py +++ b/geonode/geoserver/views.py @@ -179,7 +179,7 @@ def respond(*args, **kw): if isfile(sld): with open(sld) as sld_file: sld = sld_file.read() - etree.XML(sld) + etree.XML(sld, parser=etree.XMLParser(resolve_entities=False)) except Exception: logger.exception("The uploaded SLD file is not valid XML") raise Exception( @@ -799,7 +799,7 @@ def get_capabilities(request, layerid=None, user=None, } gc_str = tpl.render(ctx) gc_str = gc_str.encode("utf-8", "replace") - layerelem = etree.XML(gc_str) + layerelem = etree.XML(gc_str, parser=etree.XMLParser(resolve_entities=False)) rootdoc = etree.ElementTree(layerelem) except Exception as e: import traceback