search

salesforce-python-client / pyforce

A fork of the salesforce beatbox client.
GNU General Public License v2.0
26 stars 24 forks source link

Fix external entities vulnerability #35

Closed KevinHock closed 6 years ago

KevinHock commented 6 years ago

So in xmltramp it uses a library called xml.sax https://github.com/alanjcastonguay/pyforce/blob/master/src/pyforce/xmltramp.py#L5

So the xml sax library is one of only 2 libraries vulnerable to XML External Entity Expansion (https://docs.python.org/2/library/xml.html#xml-vulnerabilities) If Salesforce gets compromised or has a rogue employee they can probe the network using it and send requests to anything, potentially getting remote code execution. For more information about XXE visit https://en.wikipedia.org/wiki/XML_external_entity_attack

ellieayla commented 6 years ago

I acknowledge that Salesforce can be the attacking party here. But is the vector you're concerned about some untrusted party submitting stuff to Salesforce, and then this library reading it back out?

KevinHock commented 6 years ago

I'm not sure what you mean by "version range", can you elaborate? I'm not that experienced w/ PyPi versioning. (If it's related, I bumped up the minor version and not the patch version b/c of the new requirement.)

ellieayla commented 6 years ago

I'm not sure what you mean by "version range", can you elaborate? I'm not that experienced w/ PyPi versioning.

install_requires=['defusedxml>=0.5.0'],

That's what I meant.

KevinHock commented 6 years ago

I acknowledge that Salesforce can be the attacking party here. But is the vector you're concerned about some untrusted party submitting stuff to Salesforce, and then this library reading it back out?

I'm just concerned about Salesforce being compromised/rogue employee, I know a few people that work there (security people) and they're great, but if e.g a developer said they wanted to take a response from even Google and put it into subprocess.check_call I'd be a little worried about it. The sax processor is arguably equivalent b/c of how vuln it is.

ellieayla commented 6 years ago

Then I agree with your assessment and remediation. Thanks for the fix.

KevinHock commented 6 years ago

Oh okay, awesome @alanjcastonguay 👍 Great OSS experience!

KevinHock commented 6 years ago

@alanjcastonguay Would you be okay with putting the latest (1.8.0) up on https://pypi.python.org/pypi/pyforce?

Cheers.

ellieayla commented 6 years ago

Tagged commit d69a73c62725f411aa7c7588f3b231249935c068 as 1.8.0: https://pypi.python.org/pypi/pyforce/1.8.0