mirror of
https://github.com/HKUDS/CLI-Anything.git
synced 2026-06-08 23:39:20 +08:00
1afe545929
The repo's threat model (SECURITY.md) calls out XML/SVG content as a key
attack surface and lists "ElementTree auto-escaping" as the mitigation.
That covers XML *output* (serialization). XML *input* (parsing) across
the agent backends still goes through stdlib `xml.etree.ElementTree`,
which is vulnerable to entity-expansion DoS ("billion laughs" /
quadratic blowup) — Python 3.7.1 disabled external-entity lookup on ET
by default, but internal-entity expansion is still possible and can
exhaust CPU/RAM from a small file.
Migrate the parse/fromstring call sites in production code paths to
defusedxml.ElementTree (drop-in API). Construction calls (Element,
SubElement, tostring, register_namespace) are left on stdlib ET — those
don't parse untrusted input. Tests are left as-is in this PR.
Detected by Aeon + semgrep p/security-audit + p/owasp-top-ten
(rules: use-defused-xml, use-defused-xml-parse).
Severity: medium (DoS from agent-ingested files; not RCE).
CWE-776 Improper Restriction of Recursive Entity References.