CODEWITHSUNDEEP
pythonsecurityserverxml-rpc
Rusty Lemur
Rusty Lemur

Reputation: 1885

Is the Python2.7 SimpleXMLRPCServer sample code vulnerable?

In the Python 2.7 documentation for SimpleXMLRPCServer, the following code sets up a server:

from SimpleXMLRPCServer import SimpleXMLRPCServer
from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler

# Restrict to a particular path.
class RequestHandler(SimpleXMLRPCRequestHandler):
    rpc_paths = ('/RPC2',)

# Create server
server = SimpleXMLRPCServer(("localhost", 8000),
                            requestHandler=RequestHandler)
server.register_introspection_functions()

# Register pow() function; this will use the value of
# pow.__name__ as the name, which is just 'pow'.
server.register_function(pow)

# Register a function under a different name
def adder_function(x,y):
    return x + y
server.register_function(adder_function, 'add')

# Register an instance; all the methods of the instance are
# published as XML-RPC methods (in this case, just 'div').
class MyFuncs:
    def div(self, x, y):
        return x // y

server.register_instance(MyFuncs())

# Run the server's main loop
server.serve_forever()

I've read that Python's XMLRPC server can be vulnerable to some XML attacks, specifically "billion laughs", "quadratic blowup", and "decompression bomb." Is the sample code from the documentation vulnerable to these attacks, and are further means necessary to protect it from these vulnerabilities? I'm modeling some client-server code after this sample code, and wondering how vulnerable the SimpleXMLRPCServer is. If this sample code is vulnerable, then I think I'll need to do something in my application as well.

EDIT:

This is what I've implemented to resolve the XML vulnerability. Is this correct, and is it all that should be needed to protect the example code?

from SimpleXMLRPCServer import SimpleXMLRPCServer
from SimpleXMLRPCServer import SimpleXMLRPCRequestHandler

from defusedxml.xmlrpc import monkey_patch  # Protects against XML vulnerabilities.  See https://docs.python.org/2/library/xml.html
monkey_patch()

# Rest of code is the same as above

Upvotes: 1

Views: 546

Answers (1)

BoarGules
BoarGules

Reputation: 16952

The libraries are vulnerable to the XML attacks and (the nature of the attacks being what they are) the sample code is not proof against the attacks, because that is not where the vulnerabilities lie: they actually lie in the libraries' correct implementation of the XML specifications. It is not easy for client code to protect itself against the correct execution of an API call.

If you are concerned about these issues you could try using the library defusedxml. According to the documentation for xmlrpc.server (which is the Python 3 version of SimpleXMLRPCServer), the library defusedxml and its friend defusedxpat are candidates for inclusion in the Python 3 standard library in the future, and are not there now only because they would break backward compatibility.

Upvotes: 2

Related Questions