Skip to content

fix: block XXE file disclosure in default external entity handler#294

Draft
toddr-bot wants to merge 1 commit into
mainfrom
koan.toddr.bot/fix-issue-278
Draft

fix: block XXE file disclosure in default external entity handler#294
toddr-bot wants to merge 1 commit into
mainfrom
koan.toddr.bot/fix-issue-278

Conversation

@toddr-bot

@toddr-bot toddr-bot commented May 22, 2026

Copy link
Copy Markdown
Collaborator

Summary

The default file_ext_ent_handler allows arbitrary local file reads via XXE attacks — absolute paths (/etc/passwd) and directory traversal (../../etc/shadow) in external entity SYSTEM identifiers are passed directly to IO::File->new. This adds path validation that rejects absolute paths and .. components before file resolution.

A new UnsafeExternalEntities => 1 constructor option restores the old behavior for applications that legitimately need unrestricted entity paths.

Fixes #278

Changes

  • Reject absolute paths and .. traversal in file_ext_ent_handler (before base-path resolution)
  • Add UnsafeExternalEntities option to Non_Expat_Options, propagated to Expat object
  • Add POD documentation for new option and XXE section under SECURITY
  • Update t/nolwp.t to use UnsafeExternalEntities => 1 (uses absolute tempfile paths)
  • New test file t/xxe_path_restriction.t with 14 tests covering blocked paths, allowed paths, and opt-out

Test plan

  • make test passes all 741 tests across 64 files
  • New test verifies absolute Unix/Windows paths and .. traversal are blocked
  • New test verifies simple relative paths still work
  • New test verifies UnsafeExternalEntities => 1 allows absolute paths end-to-end
  • Existing t/nolwp.t, t/external_ent.t, t/ext_ent_io_control.t continue passing

Generated by Kōan /fix


Quality Report

Changes: 5 files changed, 183 insertions(+), 4 deletions(-)

Code scan: clean

Tests: passed (OK)

Branch hygiene: clean

Generated by Kōan post-mission quality pipeline

…ernEnt handler

The default file_ext_ent_handler opens any file path from an XML external
entity SYSTEM identifier, enabling XXE file disclosure attacks (e.g.
/etc/passwd, ../../etc/shadow). Add path validation that rejects absolute
paths and .. traversal components before file resolution.

New UnsafeExternalEntities => 1 option restores the old behavior for
applications that legitimately need unrestricted entity paths.

Fixes #278

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@codecov

codecov Bot commented May 22, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.54%. Comparing base (ab2416c) to head (287625f).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #294      +/-   ##
==========================================
+ Coverage   76.40%   76.54%   +0.14%     
==========================================
  Files           1        1              
  Lines        1102     1113      +11     
  Branches      346      351       +5     
==========================================
+ Hits          842      852      +10     
  Misses         52       52              
- Partials      208      209       +1     
Flag Coverage Δ
perl 76.54% <ø> (+0.14%) ⬆️
xs 76.54% <ø> (+0.14%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.


Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5a28ad1...287625f. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: Default file entity handler allows arbitrary local file read via XXE

1 participant