Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Denial-of-Service (SIGSEGV) at xmlquery.(*Node).InnerText #39

Closed
dwisiswant0 opened this issue Aug 29, 2020 · 0 comments
Closed

Denial-of-Service (SIGSEGV) at xmlquery.(*Node).InnerText #39

dwisiswant0 opened this issue Aug 29, 2020 · 0 comments

Comments

@dwisiswant0
Copy link

dwisiswant0 commented Aug 29, 2020

Summary

The LoadURL function allows all response types/formats to be parsed (other than XML), so that it can proceed to the next process (e.g. xmlquery.(*Node).InnerText from xmlquery.FindOne) without validation.

Description

This security issue affects all xmlquery version.

Steps to Reproduce

package main

import (
	"fmt"
	"github.com/antchfx/xmlquery"
)

func main() {
	wadl, err := xmlquery.LoadURL("https://httpbin.org/get")
	if err != nil {
		panic(err)
	}

	attr := xmlquery.FindOne(wadl, "//application/@xmlns")
	fmt.Println(attr.InnerText())
}

The logs will look similar to the following:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x6a179a]

goroutine 1 [running]:
github.com/antchfx/xmlquery.(*Node).InnerText.func1(0xc00032e2d0, 0x0)
        /home/dw1/.go/src/github.com/antchfx/xmlquery/node.go:55 +0x2a
github.com/antchfx/xmlquery.(*Node).InnerText(0x0, 0x746b67, 0x14)
        /home/dw1/.go/src/github.com/antchfx/xmlquery/node.go:67 +0x84
main.main()
        /tmp/xmlquery.go:15 +0xa0
exit status 2

Vulnerable code:

xmlquery/node.go

Lines 50 to 62 in 64ca73d

switch n.Type {
case TextNode, CharDataNode:
buf.WriteString(n.Data)
case CommentNode:
default:
for child := n.FirstChild; child != nil; child = child.NextSibling {
output(buf, child)
}
}
}
var buf bytes.Buffer
output(&buf, n)

Recommended Mitigations

  • Validates the response from URLs loaded in LoadURL, if not XML format; then returns an error.
  • Using xml.Unmarshal (only to check the validity of the XML content).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants