vulnerabilities

[ken-coding]

looks like there could be a lot of vulnerabilities with this project (According to OpenSSF scorecard report https://securityscorecards.dev/viewer/?uri=github.com/beevik/etree) I believe that most could be resolved by updating the version of go used (1.13 support ended 3.5 years ago)

In addition, this library will not pass fuzz testing. This could be fixed by adding checks to ensure XML is valid:

func IsValidXML(s string) bool { arr := []byte(s) return xml.Unmarshal(arr, new(interface{})) == nil }

[beevik]

The version declaration in go.mod is not a version requirement. It is simply a specification of the version of the go language the package is compatible with. People who use the etree package are free to use whichever version of go they like, as long as it is at least 1.13.

The recommendation to validate every XML string passed into the library is an onerous one. Unmarshalling every XML string before processing it would result in a significant degradation in performance.

[jordangov]

Perhaps there would be some option for a "secure" parse? That way people could enable it in environments where this is important (like pulling in untrusted XML from external sources). That's our use case, anyway.

[beevik]

Perhaps there would be some option for a "secure" parse? That way people could enable it in environments where this is important (like pulling in untrusted XML from external sources). That's our use case, anyway.

I like this idea of adding "Safe" variants of the Read functions. I'll work something up.

[beevik]

Commit https://github.com/beevik/etree/commit/8bd2f9e9be9ae99e2874caf7c22edbf80f43f121 added support for a ValidateInput option in ReadSettings. When set to true, the provided XML is validated against the go xml package's rules for well-formed XML.

[jordangov]

Awesome, thank you!

[TimBurns]

Thank you beevik!