Avoid external entity security vulnerability by rejecting XML docs with entities in lxml parsing

[jmurty]

Raise an exception if a document containing entities is parsed by the
underlying lxml library, since malicious entity declarations could be
used to expose the content of arbitrary local files.

To re-enable parsing of entities set: xml4h.impls.lxml_etree.permit_parse_unsafe_entities = True

[jmurty]

I was notified on the potential security vulnerability where XML docs with entity references to local files could be parsed by the lxml implementation to expose the contents of arbitrary local files.

While xml4h is indeed somewhat vulnerable to malicious XML entity references exposing local file data, I don't think this is a realistic attack vector.

To obtain local file data an attacker would need to supply an XML document to be parsed by a victim system, and then also somehow access the Python objects representing that parsed document to expose the data. But in the case an attacker can run the arbitrary Python code needed to access the parsed object data, you have bigger problems: they could just open() the local file.

Alternatively a risk might be if the victim system provided just the data from parsed documents back to the user that supplied the XML document, or to people in general. But that seems like such a wrong-headed thing to do in the first place that I doubt anyone actually would or does do it.

All that said, if after more thought I decide this is a realistic vulnerability that does actually need to be fixed, this change would prevent that specific kind of attack.

[danielelkabes]

Hi @jmurty any updates on this ?