-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for XML entity expansion limitation in SAX and pull parsers #187
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Supported `REXML::Security.entity_expansion_limit=` in SAX and Pull Supported `REXML::Security.entity_expansion_text_limit=` in SAX and Pull
kou
changed the title
fix: XML Entity Expansion is available in REXML(SAX or Pull)
Add support for XML entity expansion limitation in SAX and pull parsers
Aug 1, 2024
Thanks. |
kou
pushed a commit
that referenced
this pull request
Aug 1, 2024
`REXML::Parser::BaseParser` uses `REXML::Security` since #187. But `rexml/parsers/baseparser.rb` doesn't require `rexml/security` explicitly. This doesn't cause a problem in normal usages because `require "rexml"` requires `rexml/security` implicitly. If an user requires specific parser such as `rexml/parsers/streamparser` explicitly, this causes a problem. We should require `rexml/security` explicitly in `rexml/parsers/baseparser.rb` explicitly because `REXML::Parser::BaseParser` uses `REXML::Security`. ## How to reproduce When `lib/rexml/parsers/baseparser.rb` is required directly, the `REXML::Security` module is not required. It causes the following error: ```ruby require "rexml/parsers/streamparser" require "rexml/streamlistener" class Listener include REXML::StreamListener end REXML::Parsers::StreamParser.new("<root>></root>", Listener.new).parse ``` ```console $ ruby test.rb lib/rexml/parsers/baseparser.rb:558:in 'block in REXML::Parsers::BaseParser#unnormalize': uninitialized constant REXML::Parsers::BaseParser::Security (NameError) if sum > Security.entity_expansion_text_limit ^^^^^^^^ Did you mean? SecurityError from <internal:array>:54:in 'Array#each' from rexml/parsers/baseparser.rb:551:in 'REXML::Parsers::BaseParser#unnormalize' from rexml/parsers/streamparser.rb:39:in 'REXML::Parsers::StreamParser#parse' from test.rb:8:in '<main>' ```
otegami
added a commit
to otegami/red-datasets
that referenced
this pull request
Aug 1, 2024
…it during XML parsing Using `Datasets::WikipediaKyotoJapaneseEnglish#each` raised an `entity expansion has grown too large (RuntimeError)`. This error occurs because the entity expansion limit in REXML is set by ruby/rexml#187, and `Datasets::WikipediaKyotoJapaneseEnglish#each` exceeds that limit. In Red Datasets, increasing the entity expansion limit is not a problem because we want to handle large datasets. Therefore, we temporarily increase the limit. How to reproduce: ```console $ cd red-datasets && bundle $ bundle exec ruby example/wikipedia-kyoto-japanese-english.rb ... /home/otegami/.rbenv/versions/3.3.3/lib/ruby/gems/3.3.0/gems/rexml-3.3.4/lib/rexml/parsers/baseparser.rb:560:in `block in unnormalize': entity expansion has grown too large (RuntimeError) ... ```
kou
pushed a commit
to red-data-tools/red-datasets
that referenced
this pull request
Aug 5, 2024
…it during XML parsing (#198) Using `Datasets::WikipediaKyotoJapaneseEnglish#each` raised an `entity expansion has grown too large (RuntimeError)`. This error occurs because the entity expansion limit in REXML is set by ruby/rexml#187, and `Datasets::WikipediaKyotoJapaneseEnglish#each` exceeds that limit. In Red Datasets, increasing the entity expansion limit is not a problem because we want to handle large datasets. Therefore, we temporarily increase the limit. ## How to reproduce ```console $ cd red-datasets && bundle $ bundle exec ruby example/wikipedia-kyoto-japanese-english.rb ... /home/otegami/.rbenv/versions/3.3.3/lib/ruby/gems/3.3.0/gems/rexml-3.3.4/lib/rexml/parsers/baseparser.rb:560:in `block in unnormalize': entity expansion has grown too large (RuntimeError) ... ```
otegami
added a commit
to otegami/red-datasets
that referenced
this pull request
Aug 5, 2024
Using `Datasets::Wikipedia#each` raised an `entity expansion has grown too large (RuntimeError)`. This error occurs because the entity expansion limit in REXML is set by ruby/rexml#187, and `Datasets::Wikipedia#each` exceeds that limit. In Red Datasets, increasing the entity expansion limit is not a problem because we want to handle large datasets. Therefore, we temporarily increase the limit. ```ruby require 'datasets' wikipedia = Datasets::Wikipedia.new wikipedia.each do |wiki| pp wiki end ``` ```console $ cd red-datasets && bundle && bundle exec ruby wiki /home/otegami/.rbenv/versions/3.3.3/lib/ruby/gems/3.3.0/gems/rexml-3.3.4/lib/rexml/parsers/baseparser.rb:560:in `block in unnormalize': entity expansion has grown too large (RuntimeError) ```
otegami
added a commit
to otegami/red-datasets
that referenced
this pull request
Aug 5, 2024
Using `Datasets::Wikipedia#each` raised an `entity expansion has grown too large (RuntimeError)`. This error occurs because the entity expansion limit in REXML is set by ruby/rexml#187, and `Datasets::Wikipedia#each` exceeds that limit. In Red Datasets, increasing the entity expansion limit is not a problem because we want to handle large datasets. Therefore, we temporarily increase the limit. ```ruby require 'datasets' wikipedia = Datasets::Wikipedia.new wikipedia.each do |wiki| pp wiki end ``` ```console $ cd red-datasets && bundle && bundle exec ruby wiki /home/otegami/.rbenv/versions/3.3.3/lib/ruby/gems/3.3.0/gems/rexml-3.3.4/lib/rexml/parsers/baseparser.rb:560:in `block in unnormalize': entity expansion has grown too large (RuntimeError) ```
otegami
added a commit
to otegami/red-datasets
that referenced
this pull request
Oct 6, 2024
Using `Datasets::Wikipedia#each` raised an `entity expansion has grown too large (RuntimeError)`. This error occurs because the entity expansion limit in REXML is set by ruby/rexml#187, and `Datasets::Wikipedia#each` exceeds that limit. In Red Datasets, increasing the entity expansion limit is not a problem because we want to handle large datasets. Therefore, we temporarily increase the limit. ```ruby require 'datasets' wikipedia = Datasets::Wikipedia.new wikipedia.each do |wiki| pp wiki end ``` ```console $ cd red-datasets && bundle && bundle exec ruby wiki /home/otegami/.rbenv/versions/3.3.3/lib/ruby/gems/3.3.0/gems/rexml-3.3.4/lib/rexml/parsers/baseparser.rb:560:in `block in unnormalize': entity expansion has grown too large (RuntimeError) ```
This is I suppose CVE-2024-41946 ? |
Yes. |
@kou it seems it fixes also CVE-2024-43398 ? |
It was fixed by 7cb5eae. |
bastien-roucaries
referenced
this pull request
Jan 5, 2025
It was slow for deep element. Reported by l33thaxor. Thanks!!!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
REXML::Security.entity_expansion_limit=
in SAX and PullREXML::Security.entity_expansion_text_limit=
in SAX and Pull