entities: Rework entity amplification checks

This commit implements robust detection of entity amplification attacks, better known as the "billion laughs" attack. We now limit the size of the document after substitution of entities to 10 times the size before expansion. This guarantees linear behavior by definition. There already was a similar check before, but the accounting of "sizeentities" (size of external entities) and "sizeentcopy" (size of all copies created by entity references) wasn't accurate. We also need saturation arithmetic since we're historically limited to "unsigned long" which is 32-bit on many platforms. A maximum of 10 MB of substitutions is always allowed. This should make use cases like DITA work which have caused problems in the past. The old checks based on the number of entities were removed. This is accounted for by adding a fixed cost to each entity reference. Entity amplification checks are now enabled even if XML_PARSE_HUGE is set. This option is mainly used to allow larger text nodes. Most users were unaware that it also disabled entity expansion checks. Some of the limits might be adjusted later. If this change turns out to affect legitimate use cases, we can add a separate parser option to disable the checks. Fixes #294. Fixes #345.
2025-10-26 00:37:43 +03:00 · 2022-12-19 18:39:45 +01:00
parent 7e3f469be9
commit 463bbeeca1
7 changed files with 274 additions and 225 deletions
--- a/include/libxml/parser.h
+++ b/include/libxml/parser.h
@@ -61,17 +61,14 @@ struct _xmlParserInput {
    int length;                       /* length if known */
    int line;                         /* Current line */
    int col;                          /* Current column */
-    /*
-     * NOTE: consumed is only tested for equality in the parser code,
-     *       so even if there is an overflow this should not give troubles
-     *       for parsing very large instances.
-     */
    unsigned long consumed;           /* How many xmlChars already consumed */
    xmlParserInputDeallocate free;    /* function to deallocate the base */
    const xmlChar *encoding;          /* the encoding string for entity */
    const xmlChar *version;           /* the version string for entity */
    int standalone;                   /* Was that entity marked standalone */
    int id;                           /* an unique identifier for the entity */
+    unsigned long parentConsumed;     /* consumed bytes from parents */
+    xmlEntityPtr entity;              /* entity, if any */
 };

 /**