Limited XXE attack ability

[adedov]

Library parses local XXE entities but seems does not allow use them inside XML document. See responses from examples/server.py before and after patch that disables entities resolving in lxml:

xxe.xml

<?xml version="1.0"?>
<!DOCTYPE external  [
<!ENTITY ee SYSTEM "file:///dev/random">
]>
<methodCall>
<methodName>x&ee;</methodName>
  <params>
  </params>
</methodCall>

Before patch

$ curl -X POST -H "Content-type: application/xml" -d @xxe.xml http://127.0.0.1:8080/ | grep -Eo "<string>.*</string>"
<string>XMLSyntaxError('Input is not proper UTF-8, indicate encoding !\nBytes: 0xDA 0x08 0xCE 0x99, line 1, column 1',)</string>

After patch

$ curl -X POST -H "Content-type: application/xml" -d @r2-xxe.xml http://127.0.0.1:8080/ | -Eo "<string>.*</string>"
<string>&lt;[-32500] ApplicationError(Method 'x' not found)&gt;</string>

So, attacker has limited abilities to leak portions of binary files, may be something from /proc/self

Patch

diff --git a/aiohttp_xmlrpc/handler.py b/aiohttp_xmlrpc/handler.py
index 5a443c0..809b489 100644
--- a/aiohttp_xmlrpc/handler.py
+++ b/aiohttp_xmlrpc/handler.py
@@ -123,7 +124,8 @@ class XMLRPCView(View):

     @staticmethod
     def _parse_xml(xml_string):
-        root = etree.fromstring(xml_string)
+        parser = etree.XMLParser(resolve_entities=False)
+        root = etree.fromstring(xml_string, parser)
         schema.assertValid(root)
         return root