File: README.md

package info (click to toggle)
golang-github-mattermost-xml-roundtrip-validator 0.1.0-4
  • links: PTS, VCS
  • area: main
  • in suites: bookworm, sid, trixie
  • size: 152 kB
  • sloc: makefile: 5
file content (73 lines) | stat: -rw-r--r-- 2,102 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
 
# xml-roundtrip-validator

The Go module `github.com/mattermost/xml-roundtrip-validator` implements mitigations for multiple security issues in Go's `encoding/xml`. Applications that use `encoding/xml` for security-critical operations, such as XML signature validation and SAML, may use the `Validate` and `ValidateAll` functions to avoid impact from malicious XML inputs.

## Usage

### Validate

```Go
import (
    "strings"

    xrv "github.com/mattermost/xml-roundtrip-validator"
)

func DoStuffWithXML(input string) {
    if err := xrv.Validate(strings.NewReader(input)); err != nil {
        panic(err)
    }
    // validation succeeded, input is safe
    actuallyDoStuffWithXML(input)
}
```

### ValidateAll

```Go
import (
    "strings"

    xrv "github.com/mattermost/xml-roundtrip-validator"
)

func DoStuffWithXML(input string) {
    if errs := xrv.ValidateAll(strings.NewReader(input)); len(errs) != 0 {
        for err := range errs {
            // here you can log each error individually if you like
        }
        return
    }
    // validation succeeded, input is safe
    actuallyDoStuffWithXML(input)
}
```

### CLI

Compiling:

```
$ go build cmd/xrv.go
```

Running:

```
$ ./xrv good.xml
Document validated without errors
$ ./xrv bad.xml 
validator: in token starting at 2:5: roundtrip error: expected {{ :Element} []}, observed {{ Element} []}
$ ./xrv -all bad.xml 
validator: in token starting at 2:5: roundtrip error: expected {{ :Element} []}, observed {{ Element} []}
validator: in token starting at 3:5: roundtrip error: expected {{ Element} [{{ :attr} z}]}, observed {{ Element} [{{ attr} z}]}
```

## Go vulnerabilities addressed

Descriptions of the Go vulnerabilities addressed by this module can be found in the advisories directory. Specifically, the issues addressed are:

 - [Element namespace prefix instability](./advisories/unstable-elements.md)
 - [Attribute namespace prefix instability](./advisories/unstable-attributes.md)
 - [Directive comment instability](./advisories/unstable-directives.md)
 - Any other similar roundtrip issues we may not know about