horazont / aioxmpp

98%

devel: 98%

LAST BUILD ON BRANCH feature/fix-guard

branch: feature/fix-guard

CHANGE BRANCH

x

Reset

• feature/fix-guard
• devel
• feature/add-aioopenssl-dependency
• feature/allow-prosody-trunk-to-fail
• feature/alpn
• feature/alpn-compat
• feature/any-provisioner
• feature/async-def
• feature/avatar-e2e-tests
• feature/avatar-pep-rebase
• feature/avatar-resend-presence
• feature/backport-python-3.7-fixes
• feature/before_stream_established-fixes
• feature/blocking
• feature/bookmarks-e2e
• feature/chatstates
• feature/childtextmap-with-tag
• feature/ci-ejabberd-19.08
• feature/ci-luasec-0.8
• feature/ci-prosody-0.11-clone-efficiency
• feature/ci-timeout-factor
• feature/ci-unblacklist-0.10
• feature/common-on_message
• feature/constant-time-lrudict
• feature/conversation-tracking-api-fixes
• feature/coveralls
• feature/directed-presence
• feature/disable-stream-resumption
• feature/disco-flush_cache
• feature/disco-set_identity_names
• feature/doc-fixes
• feature/e2etest-improvements
• feature/ecaps-cache-improvements
• feature/ecaps-decouple
• feature/ecaps2
• feature/ejabberd-travis
• feature/error-condition
• feature/features-futures
• feature/fix-avatar-descriptor-comparison
• feature/fix-entitycaps
• feature/fix-is_handler-functions
• feature/fix-occupant-direct-jid
• feature/fix-presence-fail
• feature/fix-punycode-fail
• feature/fix-pyasn1-bug
• feature/fix-pyasn1-bug-devel
• feature/fix-pyasn1-regression-devel
• feature/fix-python3.4
• feature/fix-python3.4-issue-devel
• feature/fix-setup
• feature/fix-setup-version-check
• feature/fix-sphinx-warnings
• feature/fix-srv-bug
• feature/fix-travis-certs
• feature/fix-version-service
• feature/form-fixes
• feature/github-docs-security-policy
• feature/handle-invalid-credential-format
• feature/hashes-service
• feature/http-upload
• feature/ibb
• feature/ignore-3.4-build-failure
• feature/ignore-bare-muc-presence
• feature/im-conversation-fixes
• feature/im-echo-bot
• feature/improve-debugability-of-XMLStream-again
• feature/install-license-file
• feature/installation
• feature/iq-handler-respond-early
• feature/jid-escaping
• feature/json-containers
• feature/lxml-dependency-fix
• feature/make_security_layer-ssl_context_factory
• feature/misc-pars
• feature/modern-im
• feature/muc-333
• feature/muc-harden
• feature/muc-improvements
• feature/muc-invitations
• feature/muc-on_enter-fix
• feature/muc-self-ping
• feature/muc-transient-occupants
• feature/namespace-serialisation-fail
• feature/napoleon
• feature/on_enter-and-on_failure
• feature/optional-session
• feature/p2p-fix-leave
• feature/pep-spammer
• feature/pep-support
• feature/per-prosody-version-config
• feature/private-xml-and-bookmarks
• feature/private-xml-strict-payload
• feature/prosody-0.11
• feature/prosody-cfg-in-git
• feature/pubsub-features
• feature/pushbot-example
• feature/python-3.8-compat
• feature/python3.8-compat
• feature/random-patches
• feature/re-read-resolver-config-on-NoNameservers
• feature/readme-docs-link
• feature/refactor-AbstractType
• feature/remove-ext-child-map
• feature/remove-libxml2-dep
• feature/remove-orderedset-dependency
• feature/roster-group-signals
• feature/roster-race-fix
• feature/scram-plus
• feature/self-ping-debug-logs
• feature/self-ping-remote-server-errors
• feature/service-members
• feature/silence-stream-debug
• feature/simple-bookmarks
• feature/simplified-service-order
• feature/sm-location-format
• feature/sm-use-counter-on-failed-resumption
• feature/software-version
• feature/spurious-fixes
• feature/stabilise-tests
• feature/stanza-error-handling
• feature/startup-race
• feature/stream-lang-to-xso
• feature/stream-timeouts
• feature/stream-timeouts2
• feature/strict-child-xsos
• feature/stringprep-unicode-3.2
• feature/sync-iq-handlers
• feature/test-pubsub-get-by-id
• feature/tls-stripping-hardening
• feature/topic-internet-xmpp
• feature/tracking-improvements
• feature/travis-ci-ejabberd
• feature/travis-ejabberd-17.03
• feature/travis-fix-prosody-0.10-mod_pep_plus-use
• feature/travis-fixes
• feature/travis-lua-bitops
• feature/travis-no-full-clone
• feature/travis-stages
• feature/utils-namespaces-checking
• feature/vcard
• feature/windows-compatibility
• feature/xep-0027-schema
• feature/xml-escapes
• feature/xmpp-ping
• feature/xso-cleanup
• feature/xso-collector-as-etree
• feature/xso-docs-cleanup
• feature/xso-enum-fix
• feature/xso-error-defaults
• master
• pushbot
• release-0.10
• release-0.11
• release-0.12
• release-0.13
• release-0.9
• release/0.10.1-prep
• v0.10.0
• v0.10.1
• v0.10.2
• v0.10.3
• v0.10.4
• v0.10.5
• v0.11.0
• v0.9.0
• v0.9.1

Build # 1424

Build Type

push

travis-ci

Committed by horazont

Commit Message

xso: fix parser error handling

guard() was incorrectly counting the depth when either of the
following was true:

- the error occured inside the first "start" event on which guard()
  is used: in that case, guard() would fail to swallow the
  corresponding "end" event.

- after an error, further elements appear in the stream before the
  guard()-ed element is over. in that case, guard() would fail to
  account for the "start" events caused by those events, and thus
  let its depth counter go entirely out-of-sync with the XML tree

If this flaw is combined with the use of a supressing
xso_error_handler, it is possible to make elements appear higher
up in the XML stream tree than they actually are; this implies
that it is possible to inject elements in the XML stream.

It requires very specific circumstances for an application to be
vulnerable. Example of a vulnerable XSO definition is:

class Baz(aioxmpp.xso.XSO):
    TAG = ("https://xmlns.zombofant.net/aioxmpp/test", "baz")

class Bar(aioxmpp.xso.XSO):
    TAG = ("https://xmlns.zombofant.net/aioxmpp/test", "bar")

    validated = aioxmpp.xso.Attr(
        "foo",
        type_=aioxmpp.xso.JID()
    )

    children = aioxmpp.xso.ChildList([Baz])

@aioxmpp.IQ.as_payload_class
class Foo(aioxmpp.xso.XSO):
    TAG = ("https://xmlns.zombofant.net/aioxmpp/test", "foo")

    child = aioxmpp.xso.Child([Bar])

    def xso_error_handler(self, descriptor, ev_args, exc_info):
        return True

If an attacker sends:

    <iq ... type='result'><foo xmlns='https://xmlns.zombofant.net/aioxmpp/test'><bar foo='&quot;@bar'><baz/><baz/><baz/></bar></foo></iq>

to an application, it will see the "end" event of the </iq> *on the
stream level*, breaking the XML stream (because it expects a
"start" event instead of an "end" event).

More sophisticated attacks could be used to make an element appear
on the stream level instead, which would open the possibility of
injecting, for example, <message> stanzas remotely into the s... (continued)

Run Details

12474 of 12739 relevant lines covered (97.92%)

0.98 hits per line