jackal icon indicating copy to clipboard operation
jackal copied to clipboard

Published 20 hours ago • verified publisher icon ortuman

Impact of `encoding/xml` vulns

Open licaon-kter opened this issue 3 years ago • 4 comments

Ref: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

licaon-kter avatar Dec 15 '20 12:12 licaon-kter

From @mdosch:

FYI

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md

Neustradamus avatar Dec 15 '20 15:12 Neustradamus

Sorry, but I think I'm missing some context here. How these vulnerabilities are supposed to affect the project?

ortuman avatar Sep 10 '21 17:09 ortuman

It affects go stuff that processes xml, jackal does this, maybe it's too.

It's more a heads-up, you'd need to analyze if your useage is impacted or not.

licaon-kter avatar Sep 10 '21 17:09 licaon-kter

If there is no security concern related to the ordering of attributes and elements, I don't believe these types of vulnerabilities affect the project. Basically, there is no way to ensure deterministic ordering between a struct and xml doc through round trips. There are third party libraries which may be discussed in that blog post, if I recall, which can help this, but my guess is that this is not necessary unless you have some of the same concerns as projects like SAML which I believe is where this was identified as an issue.

PaluMacil avatar Sep 14 '22 13:09 PaluMacil