Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v2.1 - Fix REXML::Security.entity_expansion_limit global mutation #707

Open
johnnyshields opened this issue Jul 10, 2024 · 0 comments
Open

v2.1 - Fix REXML::Security.entity_expansion_limit global mutation #707

johnnyshields opened this issue Jul 10, 2024 · 0 comments

Comments

@johnnyshields
Copy link
Collaborator

johnnyshields commented Jul 10, 2024
edited
Loading

RubySaml::XML::BaseDocument has a line:

REXML::Security.entity_expansion_limit = 0

This mutates the global state of REXML, and also means that RubySaml could be affected by other gems changing this.

Instead, we should do something like:

def with_secure_rexml
  old_eel = REXML::Security.entity_expansion_limit
  REXML::Security.entity_expansion_limit = 0
  yield
ensure
  REXML::Security.entity_expansion_limit = old_eel
end

It's not threadsafe however...

Maybe just replace REXML with Nokogiri?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@johnnyshields