Feature #4162

Sanitize XML Documents

Added by Roy Keene almost 5 years ago. Updated over 3 years ago.

Status:ClosedStart date:11/16/2015
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Core & System
Target version:Release 5.0
Resolution:fixed Pull request:

Description

This issue has been renamed to sanitize other XML documents through oned, when they include user inputs.

Original issue:
[PATCH] Sanitize LibVirt XML Document for QEMU/KVM

Currently any user input can be passed to the generated XML document passed to libvirt, which could cause security issues (e.g., arbitrary code execution using the <emulator> tag or arbitrary file access using -hda/-drive/etc).

Attached is a patch to sanitize this, as well as remove the "DATA" section from being processed, this should be updated to look through the DATA section for known-good fragments that can be selectively added.

opennebula-4.12.0-sanitizelibvirtxml.diff Magnifier - Sanitize LibVirt XML Patch (17 KB) Roy Keene, 11/16/2015 04:53 PM

Associated revisions

Revision 0579f23c
Added by Ruben S. Montero over 4 years ago

feature #4162: Sanitize libvirt deployment file. Patch merge from a
contribution by Roy Keene

Revision 60042706
Added by Ruben S. Montero over 4 years ago

feature #4162: Sanitize some user attributes in XML douments

History

#1 Updated by Ruben S. Montero almost 5 years ago

  • Target version set to Release 5.0

#2 Updated by Ruben S. Montero almost 5 years ago

  • Tracker changed from Bug to Feature

#3 Updated by Ruben S. Montero over 4 years ago

  • Subject changed from [PATCH] Sanitize LibVirt XML Document for QEMU/KVM to Sanitize XML Documents
  • Description updated (diff)

#4 Updated by Ruben S. Montero over 4 years ago

  • Status changed from Pending to Closed
  • Resolution set to fixed

Hi Roy,

This is now in master, it is basically your patch (just changed the name and moved the template to the util namespace to use in other parts of the code). I've also went trough the XML documents and escaped missing user input fields.

BTW, instead of using #if 0 for script and data in libvirtXML,I suggest to use a restricted attribute. This way only oneadmin can access those attributes and you do not have to patch the file. (VM_RESTRICTED_ATTR = "NIC_DEFAULT/BRIDGE" and VM_RESTRICTED_ATTR = "RAW")

Cheers

Ruben

#5 Updated by Roy Keene over 3 years ago

I just checked on OpenNebula 5.2.1 there's an escape_xml() and escape_xml_attr(), but they don't actually escape any invalid sequences.

For example escape_xml_attr("blah' mycoolattr='xyx' ignoreattr='") returns: 'blah' mycoolattr='xyz' ignoreattr='' which can allow for XML
injection.

Also available in: Atom PDF