Fixed XML selector against XXE attacks

c2a424da · Claudio Salazar · 43217fd6 · c2a424da · c2a424da
隐藏空白更改
内联并排

Showing with 16 addition and 1 deletion

scrapy/selector/unified.py scrapy/selector/unified.py +6 -1

scrapy/tests/test_selector.py scrapy/tests/test_selector.py +10 -0

未找到文件。
--- a/scrapy/selector/unified.py
+++ b/scrapy/selector/unified.py
@@ -15,11 +15,16 @@ from .csstranslator import ScrapyHTMLTranslator, ScrapyGenericTranslator

 __all__ = ['Selector', 'SelectorList']

+
+class SafeXMLParser(etree.XMLParser):
+    def __init__(self, *args, **kwargs):
+        super(SafeXMLParser, self).__init__(*args, resolve_entities=False, **kwargs)
+
 _ctgroup = {
    'html': {'_parser': etree.HTMLParser,
             '_csstranslator': ScrapyHTMLTranslator(),
             '_tostring_method': 'html'},
-    'xml': {'_parser': etree.XMLParser,
+    'xml': {'_parser': SafeXMLParser,
            '_csstranslator': ScrapyGenericTranslator(),
            '_tostring_method': 'xml'},
 }

--- a/scrapy/tests/test_selector.py
+++ b/scrapy/tests/test_selector.py
@@ -332,6 +332,16 @@ class SelectorTestCase(unittest.TestCase):
        div_class = x.xpath('//div/@class')
        self.assertTrue(all(map(lambda e: hasattr(e._root, 'getparent'), div_class)))

+    def test_xml_entity_expansion(self):
+        malicious_xml = '<?xml version="1.0" encoding="ISO-8859-1"?>'\
+            '<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM '\
+            '"file:///etc/passwd" >]><foo>&xxe;</foo>'
+
+        response = XmlResponse('http://example.com', body=malicious_xml)
+        sel = self.sscls(response=response)
+
+        self.assertEqual(sel.extract(), '<foo>&xxe;</foo>')
+

 class DeprecatedXpathSelectorTest(unittest.TestCase):