Closed dwisiswant0 closed 4 years ago
The LoadURL function allows all response types/formats to be parsed (other than XML), so that it can proceed to the next process (e.g. xmlquery.(*Node).InnerText from xmlquery.FindOne) without validation.
LoadURL
xmlquery.(*Node).InnerText
xmlquery.FindOne
This security issue affects all xmlquery version.
xmlquery
package main import ( "fmt" "github.com/antchfx/xmlquery" ) func main() { wadl, err := xmlquery.LoadURL("https://httpbin.org/get") if err != nil { panic(err) } attr := xmlquery.FindOne(wadl, "//application/@xmlns") fmt.Println(attr.InnerText()) }
The logs will look similar to the following:
panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x6a179a] goroutine 1 [running]: github.com/antchfx/xmlquery.(*Node).InnerText.func1(0xc00032e2d0, 0x0) /home/dw1/.go/src/github.com/antchfx/xmlquery/node.go:55 +0x2a github.com/antchfx/xmlquery.(*Node).InnerText(0x0, 0x746b67, 0x14) /home/dw1/.go/src/github.com/antchfx/xmlquery/node.go:67 +0x84 main.main() /tmp/xmlquery.go:15 +0xa0 exit status 2
Vulnerable code: https://github.com/antchfx/xmlquery/blob/64ca73d0e0da75a116e3b7a9d6eb6c493e8a0836/node.go#L50-L62
xml.Unmarshal
Summary
The
LoadURLfunction allows all response types/formats to be parsed (other than XML), so that it can proceed to the next process (e.g.xmlquery.(*Node).InnerTextfromxmlquery.FindOne) without validation.Description
This security issue affects all
xmlqueryversion.Steps to Reproduce
The logs will look similar to the following:
Vulnerable code: https://github.com/antchfx/xmlquery/blob/64ca73d0e0da75a116e3b7a9d6eb6c493e8a0836/node.go#L50-L62
Recommended Mitigations
LoadURL, if not XML format; then returns an error.xml.Unmarshal(only to check the validity of the XML content).