Merge pull request #581 from Fryguy/fix_improper_bom_handling

Fix MiqXml handling of BOM + handle CVE-2024-39908 (cherry picked from commit 3c0c7bb)
ManageIQ · Oct 2, 2024 · c9ea131 · c9ea131
1 parent d965f71
commit c9ea131
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 12 deletions.
diff --git a/lib/gems/pending/util/xml/miq_rexml.rb b/lib/gems/pending/util/xml/miq_rexml.rb
@@ -279,15 +279,6 @@ def extendXmlDiff; end
 
     def self.load(data)
       REXML::Document.new(data)
-    rescue => err
-      if err.class == ::Encoding::CompatibilityError
-        data_utf8 = data.dup.force_encoding('UTF-8')
-        # Check for UTF-8 BOM and remove
-        data_utf8 = data_utf8[3..-1] if data_utf8[0, 3] == "\xC3\xAF\xC2\xBB\xC2\xBF".force_encoding("UTF-8")
-        REXML::Document.new(data_utf8)
-      else
-        raise
-      end
     end
 
     def self.loadFile(filename)

diff --git a/manageiq-gems-pending.gemspec b/manageiq-gems-pending.gemspec
@@ -28,6 +28,7 @@ Gem::Specification.new do |s|
   s.add_runtime_dependency "more_core_extensions",    "~> 4.4"
   s.add_runtime_dependency "net-ftp",                 "~> 0.1.2"
   s.add_runtime_dependency "nokogiri",                "~> 1.14", ">= 1.14.3"
+  s.add_runtime_dependency "rexml",                   ">= 3.3.2"
   s.add_runtime_dependency "sys-proctable",           "~> 1.2.5"
   s.add_runtime_dependency "sys-uname",               "~> 1.2.1"
   s.add_runtime_dependency "win32ole",                "~> 1.8.8" # this gem was extracted in ruby 3 - required if we use wmi on windows

diff --git a/spec/util/miq-xml_spec.rb b/spec/util/miq-xml_spec.rb
@@ -6,15 +6,34 @@
     expect(xml.root.elements[1].attributes['attr1']).to eq(attr_string)
   end
 
+  it "handles loaded document with top-level text nodes" do
+    attr_string = "test string"
+    doc_text = "XXX<test><element_1 attr1='#{attr_string}'/></test>"
+
+    xml = MiqXml.load(doc_text)
+    expect(xml.root.elements[1].attributes['attr1']).to eq(attr_string)
+
+    expect(xml.to_s).to start_with("XXX<test>")
+
+    xml.write(xml_str = '', 1)
+    expect(xml_str).to start_with("\n<test>")
+  end
+
   it "handles loaded document with UTF-8 BOM" do
+    bom = "\xEF\xBB\xBF".force_encoding("US-ASCII")
     attr_string = "test string"
-    doc_text = "\xC3\xAF\xC2\xBB\xC2\xBF<test><element_1 attr1='#{attr_string}'/></test>"
+    doc_text = "#{bom}<test><element_1 attr1='#{attr_string}'/></test>".force_encoding("US-ASCII")
+    expect(doc_text.bytes[0, 3]).to eq(bom.bytes)
+
     xml = MiqXml.load(doc_text)
     expect(xml.root.elements[1].attributes['attr1']).to eq(attr_string)
 
-    expect(xml.to_s[0, 3]).to eq("\xC3\xAF\xC2\xBB\xC2\xBF")
+    expect(xml.to_s.bytes[0, 3]).to_not eq(bom.bytes)
+    expect(xml.to_s).to start_with("<test><element_1")
+
     xml.write(xml_str = '', 1)
-    expect(xml_str[0, 3]).to eq("\xC3\xAF\xC2\xBB\xC2\xBF")
+    expect(xml_str.bytes[0, 3]).to_not eq(bom.bytes)
+    expect(xml_str).to start_with("<test>\n <element_1")
   end
 
   it "add_element with control characters" do