bitwarden/browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser synced 2025-12-15 15:53:27 +00:00
Code Issues Releases Wiki Activity

Tools/pm 3567 import xxe detection (#6918)

Browse Source 
* RegEx to prevent external entities from being imported in xml

* Adding the test case

* Changing the regex and updating test case description
This commit is contained in:
ttalty
2023-12-08 09:50:02 -05:00
committed by GitHub
parent 31112d8033
commit c4b31c9f8f
2 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
libs/importer/src/importers/base-importer.ts
View File

@@ -137,6 +137,10 @@ export abstract class BaseImporter {
}
protected parseXml(data: string): Document {
// Ensure there are no external entity elements in the XML to prevent against XXE attacks.
if (!this.validateNoExternalEntities(data)) {
return null;
}
const parser = new DOMParser();
const doc = parser.parseFromString(data, "application/xml");
return doc != null && doc.querySelector("parsererror") == null ? doc : null;
@@ -402,4 +406,10 @@ export abstract class BaseImporter {
cipher.identity.lastName = nameParts.slice(2, nameParts.length).join(" ");
}
}
private validateNoExternalEntities(data: string): boolean {
const regex = new RegExp("<!ENTITY", "i");
const hasExternalEntities = regex.test(data);
return !hasExternalEntities;
}
}