From: Jason Stephenson <jason@sigio.com>
Date: Thu, 3 Nov 2016 14:12:19 +0000 (-0400)
Subject: Check for external XML entities in NCIP.pm.
X-Git-Url: https://old-git.evergreen-ils.org/?a=commitdiff_plain;h=0dabe8af9ef69bca3d9980f251d141f66d3fbaea;p=NCIPServer.git

Check for external XML entities in NCIP.pm.

Add an external entity handler to DOM creation in the main NCIP
module's handle_initiation function.  This handler dies and the error
processing catches that error, logs that a possible XXE attack was
detected and then returns undef.

Signed-off-by: Jason Stephenson <jason@sigio.com>
---

diff --git a/lib/NCIP.pm b/lib/NCIP.pm
index bc61682..7d6bfad 100644
--- a/lib/NCIP.pm
+++ b/lib/NCIP.pm
@@ -103,9 +103,14 @@ sub handle_initiation {
     my $dom;
     my $log = Log::Log4perl->get_logger("NCIP");
 
-    eval { $dom = XML::LibXML->load_xml( string => $xml ); };
+    eval { $dom = XML::LibXML->load_xml( string => $xml, ext_ent_handler => sub { die('XXE'); } ); };
     if ($@) {
+        if ($@ eq 'XXE') {
+            $log->warn('Possible XML External Entity Attack...Bailing out');
+            return;
+        }
         $log->info("Invalid xml we can not parse it ");
+
     }
     if ($dom) {