gh-90949: add Expat API to prevent XML deadly allocations #139234
Conversation
picnixz
force-pushed
the
feat/xml/mitigation-api-90949
branch
from
3fa5b10 to
9c7371f
Compare
|
I plan to also expose the billion laugh mitigation API, but in a separate PR. |
|
@picnixz thanks for taking on this project — very much appreciated! 🙏
@picnixz there is mention of the activation threshold in the final note of https://libexpat.github.io/doc/api/latest/#XML_SetAllocTrackerMaximumAmplification but I'm happy if the topic gets more attention in CPython docs. I already started review and spotted a few things. I will likely submit a first round of review some time later today. |
I assume you are actually talking about this:
I actually understood it only as "if you use a smaller factor then in practice, you might want to change the activation threshold" but I didn't understand it as "the amplification factor is only used if we exceed the threshold in the first place". I assumed from the note on
|
Thank you! I'll hold the work on the billion laugh API as it'll be easier to add the API once this one is merged. |
picnixz
force-pushed
the
feat/xml/mitigation-api-90949
branch
from
4ba478d to
d636685
Compare
| } | ||
| #endif | ||
|
|
||
| #if XML_COMBINED_VERSION >= 20702 |
There was a problem hiding this comment.
I understand that Expat >=2.7.2 is needed to offer this functionality, but maybe the the Python API should be available in any case and raise exceptions that the compile time Expat was not recent enough to support this feature. Is that what's happening? I remember we had this very question when introducing SetReparseDeferralEnabled.
There was a problem hiding this comment.
Argument Clinic will handle this automatically by "not" having the function (an AttributeError will be raised). For SetReparseDeferralEnabled, it appears that the API call will be a no-op otherwise.
Maybe it's better to raise NotImplementedError instead of the default AttributeError, as we usually do in ssl when the libssl backend is not the latest.
There was a problem hiding this comment.
@picnixz I'd like to vote for NotImplementedError or no-op rather than AttributeError for now. I'll need to sleep over this and potentially dig up past communication on the reparse deferall thing. There was past rationale on this somewhere.
There was a problem hiding this comment.
I would prefer a NotImplementedError over a no-op, as otherwise people might assume that they are protected against some attacks while they are not.
There was a problem hiding this comment.
@picnixz I should note that protection is active by default (or it would not have fixed the vulnerability). So a no-op in the tuning function would leave them protected under default settings, not unprotected.
There was a problem hiding this comment.
I like the #error approach. It simplifies the checks. I think I'll do a separate PR for that one.
There was a problem hiding this comment.
@picnixz please feel free to CC me for review there 👍
There was a problem hiding this comment.
Actually, if I include expat_config.h before, those symbols will anyway be defined (unless someone changes expat_config.h). But I don't think I need to assume that expat_config.h should be changed. Until now, it was not even used... (it wasn't included). I prefer not to overcomplicate the file (but at least now I know that it should be fine)
There was a problem hiding this comment.
@picnixz file expat_config.h is auto-generated by the Expat build system (if systemwide Expat is used) and hardcoded by CPython when the bundle is used. So in the former case, XML_DTD and XML_GE could be defined or not: it's under the sysadmin's control.
There was a problem hiding this comment.
Oh thanks for the explanation. I thought it was a python-only file.
@picnixz I confirm, yes, exactly 👍
I see. I think that means that upstream docs should be adjusted some way to make it easier to read that (or them) as interconnected. How about I try a related pull request upstream and you take the review seat there?
Understood, good plan 👍 |
|
@picnixz here's what I had before for a 3.13 version making up for static PyObject *
format_xml_error(enum XML_Error code, XML_Size lineno, XML_Size column)
{
const char *errmsg = XML_ErrorString(code);
char asciiBuffer[512] = "";
const int formatRet = snprintf(asciiBuffer, sizeof(asciiBuffer),
"%s: line %zu, column %zu",
errmsg, (size_t)lineno, (size_t)column);
if (formatRet < 0 || formatRet >= (int)sizeof(asciiBuffer)) {
return NULL;
}
_PyUnicodeWriter writer;
_PyUnicodeWriter_Init(&writer);
writer.overallocate = 1;
if (_PyUnicodeWriter_WriteASCIIString(&writer, asciiBuffer,
strlen(asciiBuffer)) < 0)
{
_PyUnicodeWriter_Dealloc(&writer);
return NULL;
}
return _PyUnicodeWriter_Finish(&writer);
} |
|
GH-139367 is a backport of this pull request to the 3.13 branch. |
…on API (python#139366) Fix some typos left in f04bea4, and simplify some internal functions to ease maintenance of future mitigation APIs. (cherry picked from commit 68a1778)
…on API (python#139366) Fix some typos left in f04bea4, and simplify some internal functions to ease maintenance of future mitigation APIs.
@picnixz any ideas about what to do about Regarding |
I think we could just add a method for tuning the protections? maybe a single method for all protections? or a configuration object for that? I don't really know which one would be the best here. |
|
Note: I think having the user calling |
|
@picnixz it's a pity that etree and sax are not reusing pyexpat internally (as can be seen in |
But they do I think? at least there is some ExpatReader in the sax module and I think there is some |
|
@picnixz maybe we need to look at sax and etree separately. Other than sax, etree has a C and a pure-Python version of the same module that — I think — need to satisfy the same interface. The C version of etree does not seem to use |
|
Indeed, for I would instead suggest that we don't do anything for this one, and that by default, it's left untouched (namely make those methods a no-op). For the C implementation, we would add new methods at the level of For SAX, it's also a pure Python implementation (no C), so I suggest leaving the API empty as well. The pure Python implementation however seems to only use I think checking for the existence of the underlying C API through |
CVE-2025-59375) (pythonGH-139234) Expose the XML Expat 2.7.2 mitigation APIs to disallow use of disproportional amounts of dynamic memory from within an Expat parser (see CVE-2025-59375 for instance). The exposed APIs are available on Expat parsers, that is, parsers created by `xml.parsers.expat.ParserCreate()`, as: - `parser.SetAllocTrackerActivationThreshold(threshold)`, and - `parser.SetAllocTrackerMaximumAmplification(max_factor)`. (cherry picked from commit f04bea4) Co-authored-by: Bénédikt Tran <[email protected]>
…on API (python#139366) Fix some typos left in f04bea4, and simplify some internal functions to ease maintenance of future mitigation APIs. (cherry picked from commit 68a1778)
|
GH-139527 is a backport of this pull request to the 3.12 branch. |
…2025-59375) (python#139234) Expose the XML Expat 2.7.2 mitigation APIs to disallow use of disproportional amounts of dynamic memory from within an Expat parser (see CVE-2025-59375 for instance). The exposed APIs are available on Expat parsers, that is, parsers created by `xml.parsers.expat.ParserCreate()`, as: - `parser.SetAllocTrackerActivationThreshold(threshold)`, and - `parser.SetAllocTrackerMaximumAmplification(max_factor)`. (cherry picked from commit f04bea4)
…on API (python#139366) Fix some typos left in f04bea4, and simplify some internal functions to ease maintenance of future mitigation APIs. (cherry picked from commit 68a1778)
|
GH-139529 is a backport of this pull request to the 3.11 branch. |
…2025-59375) (python#139234) Expose the XML Expat 2.7.2 mitigation APIs to disallow use of disproportional amounts of dynamic memory from within an Expat parser (see CVE-2025-59375 for instance). The exposed APIs are available on Expat parsers, that is, parsers created by `xml.parsers.expat.ParserCreate()`, as: - `parser.SetAllocTrackerActivationThreshold(threshold)`, and - `parser.SetAllocTrackerMaximumAmplification(max_factor)`. (cherry picked from commit f04bea4)
…on API (python#139366) Fix some typos left in f04bea4, and simplify some internal functions to ease maintenance of future mitigation APIs. (cherry picked from commit 68a1778)
|
GH-139532 is a backport of this pull request to the 3.10 branch. |
@hartwork I observed that the maximum allocation factor is only checked if we exceed the activation threshold. The online docs for Expat didn't explicitly mention it so I mentioned it in our docs.
I eventually decided to redo the float-check in case of an error so that we can give a better message to the user (as it relates to security practices, I think it's good to explain why the API call failed as much as we can).
📚 Documentation preview 📚: https://cpython-previews--139234.org.readthedocs.build/