fix(block): security updates for rks import

2023-05-03 14:47:25 +01:00 · 2023-05-03 14:47:25 +01:00 · 3e5f1565b1
commit 3e5f1565b1
parent fb1341365f
1 changed files with 14 additions and 8 deletions
--- a/app/terraform/block_roskomsvoboda.py
+++ b/app/terraform/block_roskomsvoboda.py
@ -4,15 +4,22 @@ from io import BytesIO
 from typing import Any, Optional
 from zipfile import ZipFile, BadZipFile

-import lxml
+import lxml  # nosec: B410
 import requests
-from lxml.etree import XMLSyntaxError
+from lxml.etree import XMLSyntaxError  # nosec: B410

 from app.extensions import db
 from app.models.activity import Activity
 from app.models.tfstate import TerraformState
 from app.terraform.block_mirror import BlockMirrorAutomation

+# TODO: Security considerations for lxml
+#
+# This module makes use of lxml for parsing XML. There are some known issues relating to
+# malicious XML being crafted to exploit XML parses such that they will exhaust available
+# CPU and RAM. Here we use the event-driven parser and disable entity resolution so this
+# should help to reduce the risks however a more in-depth review would be good in the future.
+

 class BlockRoskomsvobodaAutomation(BlockMirrorAutomation):
    """
@ -31,11 +38,10 @@ class BlockRoskomsvobodaAutomation(BlockMirrorAutomation):

    _data: Any

-    def _fetch(self, latest_rev) -> None:
+    def _fetch(self, latest_rev: str) -> None:
        self._data = None
        try:
-            r = requests.get(f"https://dumps.rublacklist.net/fetch/{latest_rev}",
-                         verify=False, timeout=180)
+            r = requests.get(f"https://dumps.rublacklist.net/fetch/{latest_rev}", timeout=180)
            r.raise_for_status()
            zip_file = ZipFile(BytesIO(r.content))
            self._data = zip_file.read("dump.xml")
@ -70,8 +76,7 @@ class BlockRoskomsvobodaAutomation(BlockMirrorAutomation):
            latest_metadata = {"dump_rev": "0"}
        else:
            latest_metadata = json.loads(state.state)
-        latest_rev = requests.get("https://dumps.rublacklist.net/fetch/latest",
-                                  verify=False, timeout=30).text.strip()
+        latest_rev = requests.get("https://dumps.rublacklist.net/fetch/latest", timeout=30).text.strip()
        logging.debug("Latest revision is %s, already got %s", latest_rev, latest_metadata["dump_rev"])
        if latest_rev != latest_metadata["dump_rev"]:
            state.state = json.dumps({"dump_rev": latest_rev})
@ -85,7 +90,8 @@ class BlockRoskomsvobodaAutomation(BlockMirrorAutomation):
            logging.debug("No new data to parse")
            return
        try:
-            for _event, element in lxml.etree.iterparse(BytesIO(self._data)):
+            for _event, element in lxml.etree.iterparse(BytesIO(self._data),
+                                                        resolve_entities=False):
                if element.tag == "domain":
                    self.patterns.append("https://" + element.text.strip())
        except XMLSyntaxError: