Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Softens xml security settings #545

Merged
merged 2 commits into from
Jan 2, 2025
Merged

Softens xml security settings #545

merged 2 commits into from
Jan 2, 2025

Conversation

mkeckmkeck
Copy link
Contributor

@mkeckmkeck mkeckmkeck commented Dec 20, 2024
edited
Loading

Description

Softens/relaxes xml security settings:

  • some of our customers deliver xml files with a doctype set
  • we do not want to forbid this, and so set the permission more fine granular
  • target state is that xxe attacks are still impossible, see the adapted test case that still does not contain the /etc/hosts content

Additional Notes

  • This PR fixes or works on following ticket(s): SIRI-1037

Checklist

  • Code change has been tested and works locally
  • Code was formatted via IntelliJ and follows SonarLint & best practices
  • Patch Tasks: Is local execution of Patch Tasks necessary? If so, please also mark the PR with the tag.

@mkeckmkeck
Softens xml security settings
1336733 
- some of our customers deliver xml files with a doctype set
- we do not want to forbid this, and so set the permission more fine granular
- target state is that xxe attacks are still impossible, see the adapted test case
  that still does not contain the /etc/hosts content

Fixes: SIRI-1037
@idlira idlira added the 🧬 Enhancement Contains new features label Dec 20, 2024
idlira
idlira approved these changes Dec 20, 2024
View reviewed changes
Copy link
Contributor

@idlira idlira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps enhance test case to demonstrate DOCTYPE which can be read?

@mkeckmkeck
Adds a positive test case
971a20f 
- to demonstrate the what can be read with the latest changes

Fixes: SIRI-1037
@mkeckmkeck mkeckmkeck merged commit e345f77 into develop Jan 2, 2025
3 checks passed
@mkeckmkeck mkeckmkeck deleted the feature/SIRI-1037_xxe_soften branch January 2, 2025 06:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ymo-sci ymo-sci ymo-sci approved these changes

@idlira idlira idlira approved these changes

@jmuscireum jmuscireum jmuscireum approved these changes

Assignees
No one assigned
Labels
🧬 Enhancement Contains new features
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mkeckmkeck @jmuscireum @idlira @ymo-sci