GHSA-432c-wxpg-m4q3: xml2rfc has file inclusion irregularities
Version 3.12.0 changed xml2rfc
so that it would not access local files without the presence of its new --allow-local-file-access
flag.
This prevented XML External Entity (XXE) injection attacks with xinclude
and XML entity references.
It was discovered that xml2rfc
does not respect --allow-local-file-access
when a local file is specified as src
in artwork
or sourcecode
elements. Furthermore, XML entity references can include any file inside the source dir and below without using the --allow-local-file-access
flag.
The xml2rfc <= 3.26.0
behaviour:
xinclude | XML entity reference | artwork src= | sourcecode src= | |
---|---|---|---|---|
without --allow-local-file-access flag | No filesystem access | Any file in xml2rfc templates dir and below, any file in source directory and below | Access source directory and below | Access source directory and below |
with --allow-local-file-access flag | Access any file on filesystem1 | Access any file on filesystem1 | Access source directory and below | Access source directory and below |
References
Detect and mitigate GHSA-432c-wxpg-m4q3 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →