10786980837

Committed 10 Sep 2024 06:26AM UTC coverage: 90.657% (+0.04%) from 90.614%

Build # 10786980837

Build Type

push

github

Committed by

zorbathut

Commit Message

Fix: Security issue: XML documents could cause arbitrary HTTP requests.

Run Details

4473 of 4934 relevant lines covered (90.66%)

195267.01 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

95.83

/src/ReaderXmlRecorder.cs

namespace Dec
{
    using System;
    using System.Collections;
    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using System.Reflection;
    using System.Xml;
    using System.Xml.Linq;

    internal class ReaderFileRecorderXml : ReaderFileRecorder
    {
        private XElement record;
        private string fileIdentifier;
        private Recorder.IUserSettings userSettings;

        public static ReaderFileRecorderXml Create(string input, string identifier, Recorder.IUserSettings userSettings)
        {
            XDocument doc = UtilXml.ParseSafely(new System.IO.StringReader(input));
            if (doc == null)
            {
                return null;
            }

            if (doc.Elements().Count() > 1)
            {
                // This isn't testable, unfortunately; XDocument doesn't even support multiple root elements.
                Dbg.Err($"{identifier}: Found {doc.Elements().Count()} root elements instead of the expected 1");
            }

            var record = doc.Elements().First();
            if (record.Name.LocalName != "Record")
            {
                Dbg.Wrn($"{new InputContext(identifier, record)}: Found root element with name `{record.Name.LocalName}` when it should be `Record`");
            }

            var recordFormatVersion = record.ElementNamed("recordFormatVersion");
            if (recordFormatVersion == null)
            {
                Dbg.Err($"{new InputContext(identifier, record)}: Missing record format version, assuming the data is up-to-date");
            }
            else if (recordFormatVersion.GetText() != "1")
            {
                Dbg.Err($"{new InputContext(identifier, recordFormatVersion)}: Unknown record format version {recordFormatVersion.GetText()}, expected 1 or earlier");

                // I would rather not guess about this
                return null;
            }

            var result = new ReaderFileRecorderXml();
            result.record = record;
            result.fileIdentifier = identifier;
            result.userSettings = userSettings;

            return result;
        }

        public override List<ReaderRef> ParseRefs()
        {
            var result = new List<ReaderRef>();

            var refs = record.ElementNamed("refs");
            if (refs != null)
            {
                foreach (var reference in refs.Elements())
                {
                    var readerRef = new ReaderRef();

                    var context = new InputContext(fileIdentifier, reference);

                    if (reference.Name.LocalName != "Ref")
                    {
                        Dbg.Wrn($"{context}: Reference element should be named 'Ref'");
                    }

                    readerRef.id = reference.Attribute("id")?.Value;
                    if (readerRef.id == null)
                    {
                        Dbg.Err($"{context}: Missing reference ID");
                        continue;
                    }

                    // Further steps don't know how to deal with this, so we just strip it
                    reference.Attribute("id").Remove();

                    var className = reference.Attribute("class")?.Value;
                    if (className == null)
                    {
                        Dbg.Err($"{context}: Missing reference class name");
                        continue;
                    }

                    readerRef.type = (Type)Serialization.ParseString(className, typeof(Type), null, context);
                    if (readerRef.type.IsValueType)
                    {
                        Dbg.Err($"{context}: Reference assigned type {readerRef.type}, which is a value type");
                        continue;
                    }

                    readerRef.node = new ReaderNodeXml(reference, fileIdentifier, userSettings);
                    result.Add(readerRef);
                }
            }

            return result;
        }

        public override ReaderNodeParseable ParseNode()
        {
            var data = record.ElementNamed("data");
            if (data == null)
            {
                Dbg.Err($"{new InputContext(fileIdentifier, record)}: No data element provided. This is not very recoverable.");

                return null;
            }

            return new ReaderNodeXml(data, fileIdentifier, userSettings);
        }
    }
}

1	namespace Dec
2	{
3	using System;
4	using System.Collections;
5	using System.Collections.Generic;
6	using System.IO;
7	using System.Linq;
8	using System.Reflection;
9	using System.Xml;
10	using System.Xml.Linq;
11
12	internal class ReaderFileRecorderXml : ReaderFileRecorder
13	{
14	private XElement record;
15	private string fileIdentifier;
16	private Recorder.IUserSettings userSettings;
17
18	public static ReaderFileRecorderXml Create(string input, string identifier, Recorder.IUserSettings userSettings)
19	{	2,495✔
20	XDocument doc = UtilXml.ParseSafely(new System.IO.StringReader(input));	2,495✔
21	if (doc == null)	2,495✔
22	{	15✔
23	return null;	15✔
24	}
25
26	if (doc.Elements().Count() > 1)	2,480✔
27	{	×
28	// This isn't testable, unfortunately; XDocument doesn't even support multiple root elements.
29	Dbg.Err($"{identifier}: Found {doc.Elements().Count()} root elements instead of the expected 1");	×
30	}	×
31
32	var record = doc.Elements().First();	2,480✔
33	if (record.Name.LocalName != "Record")	2,480✔
34	{	5✔
35	Dbg.Wrn($"{new InputContext(identifier, record)}: Found root element with name `{record.Name.LocalName}` when it should be `Record`");	5✔
36	}	5✔
37
38	var recordFormatVersion = record.ElementNamed("recordFormatVersion");	2,480✔
39	if (recordFormatVersion == null)	2,480✔
40	{	10✔
41	Dbg.Err($"{new InputContext(identifier, record)}: Missing record format version, assuming the data is up-to-date");	10✔
42	}	10✔
43	else if (recordFormatVersion.GetText() != "1")	2,470✔
44	{	15✔
45	Dbg.Err($"{new InputContext(identifier, recordFormatVersion)}: Unknown record format version {recordFormatVersion.GetText()}, expected 1 or earlier");	15✔
46
47	// I would rather not guess about this
48	return null;	15✔
49	}
50
51	var result = new ReaderFileRecorderXml();	2,465✔
52	result.record = record;	2,465✔
53	result.fileIdentifier = identifier;	2,465✔
54	result.userSettings = userSettings;	2,465✔
55
56	return result;	2,465✔
57	}	2,495✔
58
59	public override List<ReaderRef> ParseRefs()
60	{	2,465✔
61	var result = new List<ReaderRef>();	2,465✔
62
63	var refs = record.ElementNamed("refs");	2,465✔
64	if (refs != null)	2,465✔
65	{	975✔
66	foreach (var reference in refs.Elements())	416,225✔
67	{	206,650✔
68	var readerRef = new ReaderRef();	206,650✔
69
70	var context = new InputContext(fileIdentifier, reference);	206,650✔
71
72	if (reference.Name.LocalName != "Ref")	206,650✔
73	{	5✔
74	Dbg.Wrn($"{context}: Reference element should be named 'Ref'");	5✔
75	}	5✔
76
77	readerRef.id = reference.Attribute("id")?.Value;	206,650✔
78	if (readerRef.id == null)	206,650✔
79	{	5✔
80	Dbg.Err($"{context}: Missing reference ID");	5✔
81	continue;	5✔
82	}
83
84	// Further steps don't know how to deal with this, so we just strip it
85	reference.Attribute("id").Remove();	206,645✔
86
87	var className = reference.Attribute("class")?.Value;	206,645✔
88	if (className == null)	206,645✔
89	{	5✔
90	Dbg.Err($"{context}: Missing reference class name");	5✔
91	continue;	5✔
92	}
93
94	readerRef.type = (Type)Serialization.ParseString(className, typeof(Type), null, context);	206,640✔
95	if (readerRef.type.IsValueType)	206,640✔
96	{	5✔
97	Dbg.Err($"{context}: Reference assigned type {readerRef.type}, which is a value type");	5✔
98	continue;	5✔
99	}
100
101	readerRef.node = new ReaderNodeXml(reference, fileIdentifier, userSettings);	206,635✔
102	result.Add(readerRef);	206,635✔
103	}	206,635✔
104	}	975✔
105
106	return result;	2,465✔
107	}	2,465✔
108
109	public override ReaderNodeParseable ParseNode()
110	{	2,465✔
111	var data = record.ElementNamed("data");	2,465✔
112	if (data == null)	2,465✔
113	{	5✔
114	Dbg.Err($"{new InputContext(fileIdentifier, record)}: No data element provided. This is not very recoverable.");	5✔
115
116	return null;	5✔
117	}
118
119	return new ReaderNodeXml(data, fileIdentifier, userSettings);	2,460✔
120	}	2,465✔
121	}
122	}

zorbathut / dec / 10786980837

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous