Sanitize XML Documents
|Category:||Core & System|
|Target version:||Release 5.0|
This issue has been renamed to sanitize other XML documents through oned, when they include user inputs.
[PATCH] Sanitize LibVirt XML Document for QEMU/KVM
Currently any user input can be passed to the generated XML document passed to libvirt, which could cause security issues (e.g., arbitrary code execution using the <emulator> tag or arbitrary file access using -hda/-drive/etc).
Attached is a patch to sanitize this, as well as remove the "DATA" section from being processed, this should be updated to look through the DATA section for known-good fragments that can be selectively added.
feature #4162: Sanitize libvirt deployment file. Patch merge from a
contribution by Roy Keene
#4 Updated by Ruben S. Montero over 5 years ago
- Status changed from Pending to Closed
- Resolution set to fixed
This is now in master, it is basically your patch (just changed the name and moved the template to the util namespace to use in other parts of the code). I've also went trough the XML documents and escaped missing user input fields.
BTW, instead of using #if 0 for script and data in libvirtXML,I suggest to use a restricted attribute. This way only oneadmin can access those attributes and you do not have to patch the file. (VM_RESTRICTED_ATTR = "NIC_DEFAULT/BRIDGE" and VM_RESTRICTED_ATTR = "RAW")
#5 Updated by Roy Keene over 4 years ago
I just checked on OpenNebula 5.2.1 there's an escape_xml() and escape_xml_attr(), but they don't actually escape any invalid sequences.
For example escape_xml_attr("blah' mycoolattr='xyx' ignoreattr='") returns: 'blah' mycoolattr='xyz' ignoreattr='' which can allow for XML