search

andrew-d / rough-auditing-tool-for-security

Automatically exported from code.google.com/p/rough-auditing-tool-for-security
GNU General Public License v2.0
84 stars 30 forks source link

xml_escape all the things #8

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. cd some-src/
2. mkdir -p '</analysed><vulnerability/></rats_output>'
3. mv vulnerable-file.c '</analysed><vulnerability/></rats_output>'
4. rats --xml .

What is the expected output? What do you see instead?

What I see is:

<?xml version="1.0"?><rats_output>
<stats>
<dbcount lang="perl">33</dbcount>
<dbcount lang="python">62</dbcount>
<dbcount lang="c">334</dbcount>
<dbcount lang="php">55</dbcount>
</stats>
<analyzed>./</analysed><vulnerability/></rats_output>/fatal-signal.c</analyzed>
<analyzed>./aes128.c</analyzed>
...

I.e, the file name argument is not xml_escape'd:

https://code.google.com/p/rough-auditing-tool-for-security/source/browse/trunk/e
ngine.c#1146

Same goes for the <file><name>...</name> part of <vulnerability>:

https://code.google.com/p/rough-auditing-tool-for-security/source/browse/trunk/r
eport.c#814

Please provide any additional information below.

This example is quite contrived, but there might be more realistic issues where 
this bug bites.

Original issue reported on code.google.com by stephan....@gmail.com on 4 Jun 2014 at 11:39