GHSA-432c-wxpg-m4q3: xml2rfc has file inclusion irregularities
Version 3.12.0 changed xml2rfc so that it would not access local files without the presence of its new --allow-local-file-access flag.
This prevented XML External Entity (XXE) injection attacks with xinclude and XML entity references.
It was discovered that xml2rfc does not respect --allow-local-file-access when a local file is specified as src in artwork or sourcecode elements. Furthermore, XML entity references can include any file inside the source dir and below without using the --allow-local-file-access flag.
The xml2rfc <= 3.26.0 behaviour:
xinclude | XML entity reference | artwork src= | sourcecode src= | |
|---|---|---|---|---|
without --allow-local-file-access flag | No filesystem access | Any file in xml2rfc templates dir and below, any file in source directory and below | Access source directory and below | Access source directory and below |
with --allow-local-file-access flag | Access any file on filesystem1 | Access any file on filesystem1 | Access source directory and below | Access source directory and below |
References
Detect and mitigate GHSA-432c-wxpg-m4q3 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →