Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v3.0 - Fix REXML::Security.entity_expansion_limit global mutation #707

Open
johnnyshields opened this issue Jul 10, 2024 · 0 comments
Open

v3.0 - Fix REXML::Security.entity_expansion_limit global mutation #707

johnnyshields opened this issue Jul 10, 2024 · 0 comments

Comments

@johnnyshields
Copy link
Collaborator

johnnyshields commented Jul 10, 2024
edited
Loading

RubySaml::XML::BaseDocument has a line:

REXML::Security.entity_expansion_limit = 0

This mutates the global state of REXML, and also means that RubySaml could be affected by other gems changing this.

Instead, we should do something like:

def with_secure_rexml
  old_eel = REXML::Security.entity_expansion_limit
  REXML::Security.entity_expansion_limit = 0
  yield
ensure
  REXML::Security.entity_expansion_limit = old_eel
end

It's not threadsafe however...

Maybe just replace REXML with Nokogiri?
@johnnyshields johnnyshields mentioned this issue Jan 11, 2025
Open
@johnnyshields johnnyshields changed the title v2.1 - Fix REXML::Security.entity_expansion_limit global mutation v3.0 - Fix REXML::Security.entity_expansion_limit global mutation Jan 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johnnyshields