XML Injection

Bug #1657139 reported by Shaik Apsar
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack DBaaS (Trove)
New
Wishlist
Unassigned
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

The xml.dom.minidom module is not secure against maliciously constructed data. If you need to parse untrusted or unauthenticated data see XML vulnerabilities.

Trove code base is using xml.dom.minidom.

Writing unvalidated data into an XML document can allow an attacker to change the structure and contents of the XML.

https://github.com/openstack/trove/blob/129fac7d5374e18a428afa1b5c0259743677222e/trove/common/base_wsgi.py#L509

Tags: security
Revision history for this message
Jeremy Stanley (fungi) wrote :

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status: New → Incomplete
description: updated
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

trove-coresec, can the XMLDictSerializer be used with user supply data, or is it only processing known/safe xml object?

Revision history for this message
Amrith Kumar (amrith) wrote :

My suspicion is that this issue was found using some code inspection tool and not actual observation of an issue. As best as I can tell, this should not be an issue in practice but I will check and update.

Revision history for this message
Amrith Kumar (amrith) wrote :

Tristan, as best as I can tell from a quick review of the code, this is not a vulnerability but an opportunity for hardening. I will request additional review (others on trove-coresec) and update in the next day or two.

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Amrith, any objections if we switch this to public and close the OSSA task?

Revision history for this message
Amrith Kumar (amrith) wrote :

Tristan, no objections.

Jeremy Stanley (fungi)
description: updated
information type: Private Security → Public
tags: added: security
Changed in ossa:
status: Incomplete → Won't Fix
Amrith Kumar (amrith)
Changed in trove:
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.