Commit 1bee0f89 authored by Igor Ponomarev's avatar Igor Ponomarev
Browse files

Use `defusedxml` for XMLRPC to prevent DoS attacks

`defusedxml` is a patched XML python library that fixes many issues
with the standard library XML and prevents attacks such as
Billion laughs attack.

https://en.wikipedia.org/wiki/Billion_laughs_attack

`defusedxml` provides a `defusedxml.xmlrpc.monkey_patch` call
which will patch the `xmlrpc` standard library module with the
safe XML decoders.

This patch enables XML protections once a Dispatcher class is
initiated. The Dispatcher is the one that uses the
`xmlrpc.client.loads` call to parse XML from the HTTP call.
parent 3fd8fad9
......@@ -13,7 +13,7 @@ RUN echo 'deb http://deb.debian.org/debian bullseye-backports main' > /etc/apt/s
apt-get install --no-install-recommends --yes libldap-common libsasl2-modules && \
apt-get install --no-install-recommends --yes python3-boto3 python3-pycurl && \
apt-get install --no-install-recommends --yes python3-voluptuous python3-yaml && \
apt-get install --no-install-recommends --yes python3-aiohttp python3-celery python3-django python3-django-allauth python3-django-auth-ldap python3-django-environ python3-django-filters python3-django-tables2 python3-djangorestframework python3-djangorestframework-extensions python3-djangorestframework-filters python3-docutils python3-eventlet python3-jinja2 python3-junit.xml python3-psycopg2 python3-requests python3-simplejson python3-tap python3-tz python3-voluptuous python3-whitenoise python3-yaml python3-zmq && \
apt-get install --no-install-recommends --yes python3-aiohttp python3-celery python3-defusedxml python3-django python3-django-allauth python3-django-auth-ldap python3-django-environ python3-django-filters python3-django-tables2 python3-djangorestframework python3-djangorestframework-extensions python3-djangorestframework-filters python3-docutils python3-eventlet python3-jinja2 python3-junit.xml python3-psycopg2 python3-requests python3-simplejson python3-tap python3-tz python3-voluptuous python3-whitenoise python3-yaml python3-zmq && \
apt-get install --no-install-recommends --yes python3-pip && \
python3 -m pip install sentry-sdk==1.5.8 && \
find /usr/lib/python3/dist-packages/ -name '__pycache__' -type d -exec rm -r "{}" + && \
......
......@@ -374,6 +374,9 @@ class Dispatcher:
# logging output goes to lava-server.log
logging.basicConfig()
self.logger = logging.getLogger("linaro-django-xmlrpc-dispatcher")
from defusedxml.xmlrpc import monkey_patch
monkey_patch()
def decode_request(self, data):
"""
......
......@@ -13,6 +13,8 @@ lava-server:
name: python3-django-auth-ldap
PyYAML:
name: python3-yaml
defusedxml:
name: python3-defusedxml
django-allauth:
name: python3-django-allauth
django-filter:
......
......@@ -13,6 +13,8 @@ lava-server:
name: python3-django-auth-ldap
PyYAML:
name: python3-yaml
defusedxml:
name: python3-defusedxml
django-allauth:
name: python3-django-allauth
django-filter:
......
......@@ -13,6 +13,8 @@ lava-server:
name: python3-django-auth-ldap
PyYAML:
name: python3-yaml
defusedxml:
name: python3-defusedxml
django-allauth:
name: python3-django-allauth
django-filter:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment