do not resolve entities when parsing xml w/ burnettk

2023-01-17 14:58:54 -05:00 · 2023-01-17 14:58:54 -05:00 · 336fb1d8d2
parent 34f6239185
commit 336fb1d8d2
8 changed files with 58 additions and 10 deletions
--- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/script_unit_tests_controller.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/script_unit_tests_controller.py
@ -49,7 +49,7 @@ def script_unit_test_create(

    # TODO: move this to an xml service or something
    file_contents = SpecFileService.get_data(process_model, file.name)
-    bpmn_etree_element = etree.fromstring(file_contents)
+    bpmn_etree_element = SpecFileService.get_etree_from_xml_bytes(file_contents)

    nsmap = bpmn_etree_element.nsmap
    spiff_element_maker = ElementMaker(
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_instance_processor.py
@ -1021,10 +1021,10 @@ class ProcessInstanceProcessor:
        for file in files:
            data = SpecFileService.get_data(process_model_info, file.name)
            if file.type == FileType.bpmn.value:
-                bpmn: etree.Element = etree.fromstring(data)
+                bpmn: etree.Element = SpecFileService.get_etree_from_xml_bytes(data)
                parser.add_bpmn_xml(bpmn, filename=file.name)
            elif file.type == FileType.dmn.value:
-                dmn: etree.Element = etree.fromstring(data)
+                dmn: etree.Element = SpecFileService.get_etree_from_xml_bytes(data)
                parser.add_dmn_xml(dmn, filename=file.name)
        if (
            process_model_info.primary_process_id is None
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/process_model_service.py
@ -130,7 +130,9 @@ class ProcessModelService(FileSystemService):
    def save_process_model(cls, process_model: ProcessModelInfo) -> None:
        """Save_process_model."""
        process_model_path = os.path.abspath(
-            os.path.join(FileSystemService.root_path(), process_model.id)
+            os.path.join(
+                FileSystemService.root_path(), process_model.id_for_file_path()
+            )
        )
        os.makedirs(process_model_path, exist_ok=True)
        json_path = os.path.abspath(
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/spec_file_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/spec_file_service.py
@ -93,6 +93,12 @@ class SpecFileService(FileSystemService):
            process_model_info, file.name, file_contents
        )

+    @classmethod
+    def get_etree_from_xml_bytes(cls, binary_data: bytes) -> etree.Element:
+        """Get_etree_from_xml_bytes."""
+        etree_xml_parser = etree.XMLParser(resolve_entities=False)
+        return etree.fromstring(binary_data, parser=etree_xml_parser)
+
    @classmethod
    def get_references_for_file_contents(
        cls, process_model_info: ProcessModelInfo, file_name: str, binary_data: bytes
@ -118,13 +124,13 @@ class SpecFileService(FileSystemService):
        correlations = {}
        start_messages = []
        if file_type.value == FileType.bpmn.value:
-            parser.add_bpmn_xml(etree.fromstring(binary_data))
+            parser.add_bpmn_xml(cls.get_etree_from_xml_bytes(binary_data))
            parser_type = "process"
            sub_parsers = list(parser.process_parsers.values())
            messages = parser.messages
            correlations = parser.correlations
        elif file_type.value == FileType.dmn.value:
-            parser.add_dmn_xml(etree.fromstring(binary_data))
+            parser.add_dmn_xml(cls.get_etree_from_xml_bytes(binary_data))
            sub_parsers = list(parser.dmn_parsers.values())
            parser_type = "decision"
        else:
@ -172,7 +178,9 @@ class SpecFileService(FileSystemService):
            validator = BpmnValidator()
            parser = MyCustomParser(validator=validator)
            try:
-                parser.add_bpmn_xml(etree.fromstring(binary_data), filename=file_name)
+                parser.add_bpmn_xml(
+                    cls.get_etree_from_xml_bytes(binary_data), filename=file_name
+                )
            except etree.XMLSyntaxError as exception:
                raise ProcessModelFileInvalidError(
                    f"Received error trying to parse bpmn xml: {str(exception)}"
--- a/spiffworkflow-backend/tests/data/xml_with_entity/file_to_inject
+++ b/spiffworkflow-backend/tests/data/xml_with_entity/file_to_inject
@ -0,0 +1 @@
+THIS_STRING_SHOULD_NOT_EXIST_ITS_SECRET
--- a/spiffworkflow-backend/tests/data/xml_with_entity/invoice.bpmn
+++ b/spiffworkflow-backend/tests/data/xml_with_entity/invoice.bpmn
@ -0,0 +1,6 @@
+<!--?xml version="1.0" ?-->
+<!DOCTYPE replace [<!ENTITY ent SYSTEM "file://{{FULL_PATH_TO_FILE}}"> ]>
+<userInfo>
+ <firstName>John</firstName>
+ <lastName>&ent;</lastName>
+</userInfo>
--- a/spiffworkflow-backend/tests/spiffworkflow_backend/helpers/base_test.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/helpers/base_test.py
@ -173,11 +173,11 @@ class BaseTest:
                " model"
            )

-    def get_test_data_file_contents(
+    def get_test_data_file_full_path(
        self, file_name: str, process_model_test_data_dir: str
-    ) -> bytes:
+    ) -> str:
        """Get_test_data_file_contents."""
-        file_full_path = os.path.join(
+        return os.path.join(
            current_app.instance_path,
            "..",
            "..",
@ -186,6 +186,14 @@ class BaseTest:
            process_model_test_data_dir,
            file_name,
        )
+
+    def get_test_data_file_contents(
+        self, file_name: str, process_model_test_data_dir: str
+    ) -> bytes:
+        """Get_test_data_file_contents."""
+        file_full_path = self.get_test_data_file_full_path(
+            file_name, process_model_test_data_dir
+        )
        with open(file_full_path, "rb") as file:
            return file.read()

--- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spec_file_service.py
+++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_spec_file_service.py
@ -5,6 +5,7 @@ import pytest
 from flask import Flask
 from flask.testing import FlaskClient
 from flask_bpmn.models.db import db
+from lxml import etree  # type: ignore
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
 from tests.spiffworkflow_backend.helpers.test_data import load_test_spec

@ -236,3 +237,25 @@ class TestSpecFileService(BaseTest):

        full_file_path = SpecFileService.full_file_path(process_model, "bad_xml.bpmn")
        assert not os.path.isfile(full_file_path)
+
+    def test_does_not_evaluate_entities(
+        self,
+        app: Flask,
+        client: FlaskClient,
+        with_db_and_bpmn_file_cleanup: None,
+    ) -> None:
+        """Test_does_not_evaluate_entities."""
+        string_replacement = b"THIS_STRING_SHOULD_NOT_EXIST_ITS_SECRET"
+        tmp_file = os.path.normpath(
+            self.get_test_data_file_full_path("file_to_inject", "xml_with_entity")
+        )
+        file_contents = self.get_test_data_file_contents(
+            "invoice.bpmn", "xml_with_entity"
+        )
+        file_contents = (
+            file_contents.decode("utf-8")
+            .replace("{{FULL_PATH_TO_FILE}}", tmp_file)
+            .encode()
+        )
+        etree_element = SpecFileService.get_etree_from_xml_bytes(file_contents)
+        assert string_replacement not in etree.tostring(etree_element)