Bugzilla – Bug 1143658
AUDIT-FIND: obs-service-tar_scm: XML injection
Last modified: 2022-02-24 09:52:38 UTC
The XML is concatenated from strings, that looks like it allows XML injection - the URL is from untrusted input (the _service file), so it needs to be escaped properly
To add a bit more context here: Malte probably meant this in TarSCM/changes.py 126 if service is None: 127 service = ET.fromstring("""\ 128 <service name="tar_scm"> 129 <param name="url">%s</param> 130 </service> 131 """ % url) 132 root.append(service) 133 write_servicedata = True but this class parses the _service file, which can be used directly to inject malicious XML. 73 return ET.parse(servicedata_file, parser=xml_parser) a good description of what is possible with this: https://pypi.org/project/defusedxml/ In this uses case I see this as a hardening mostly. Because of that I'll reduce the severity. Tracked in https://github.com/openSUSE/obs-service-tar_scm/issues/382 for visibility
this is still valid and unfixed
the network protection is handled in the network setup of build.opensuse.org server. Not sure how any generic filtering of host names would look alike...