From 5c9ca45a14429699ab06e59442add14ca72feabf Mon Sep 17 00:00:00 2001
From: Raul Metsma <raul@metsma.ee>
Date: Tue, 4 Nov 2025 16:45:21 +0200
Subject: [PATCH] Disable by default XML_PARSE_HUGE

IB-8686

Signed-off-by: Raul Metsma <raul@metsma.ee>
---
 .github/workflows/build.yml |  4 +++-
 src/XMLDocument.h           | 10 ++++++++--
 test/data/xml-bomb-attr.xml | 21 +++++++++++++++++++++
 test/data/xml-bomb-cont.xml | 17 +++++++++++++++++
 test/libdigidocpp_boost.cpp | 24 +++++++++++++++++-------
 5 files changed, 66 insertions(+), 10 deletions(-)
 create mode 100644 test/data/xml-bomb-attr.xml
 create mode 100644 test/data/xml-bomb-cont.xml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 71699fe56..22e3e59d8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,10 +22,12 @@ jobs:
       run: |
         brew update
         brew install --formula swig doxygen boost
-        brew unlink python@3.12 || true
         brew unlink python@3.13 || true
+        brew unlink python@3.14 || true
         brew unlink openssl@3 || true
         brew unlink xz
+        sudo rm -rf /Library/Frameworks/Python.framework/Versions/3.13
+        sudo rm -rf /Library/Frameworks/Python.framework/Versions/3.14
     - name: Cache
       uses: actions/cache@v4
       id: cache
diff --git a/src/XMLDocument.h b/src/XMLDocument.h
index c05d0a7e4..277158246 100644
--- a/src/XMLDocument.h
+++ b/src/XMLDocument.h
@@ -315,13 +315,19 @@ struct XMLDocument: public unique_free_d<xmlFreeDoc>, public XMLNode
             return is->good() || is->eof() ? int(is->gcount()) : -1;
         }, nullptr, &is, XML_CHAR_ENCODING_NONE));
 #if VERSION_CHECK(XMLSEC_VERSION_MAJOR, XMLSEC_VERSION_MINOR, XMLSEC_VERSION_SUBMINOR) >= VERSION_CHECK(1, 3, 0)
-        ctxt->options |= xmlSecParserGetDefaultOptions();
+        ctxt->options |= xmlSecParserGetDefaultOptions() & ~XML_PARSE_HUGE;
 #else
-        ctxt->options |= XML_PARSE_NOENT|XML_PARSE_DTDLOAD|XML_PARSE_DTDATTR|XML_PARSE_NONET;
+        ctxt->options |= XML_PARSE_NOENT|XML_PARSE_DTDLOAD|XML_PARSE_DTDATTR|XML_PARSE_NONET|XML_PARSE_NODICT;
 #endif
         ctxt->loadsubset |= XML_DETECT_IDS|XML_COMPLETE_ATTRS;
         if(hugeFile)
+        {
             ctxt->options |= XML_PARSE_HUGE;
+#if LIBXML_VERSION < 21300
+            if(ctxt->sax)
+                ctxt->sax->entityDecl = 0;
+#endif
+        }
         auto result = xmlParseDocument(ctxt.get());
         if(result != 0 || !ctxt->wellFormed)
         {
diff --git a/test/data/xml-bomb-attr.xml b/test/data/xml-bomb-attr.xml
new file mode 100644
index 000000000..740be0b5c
--- /dev/null
+++ b/test/data/xml-bomb-attr.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
+<!DOCTYPE data [
+<!ENTITY ent0 "LoL">
+<!ENTITY ent1 "&ent0;&ent0;&ent0;&ent0;&ent0;&ent0;&ent0;&ent0;">
+<!ENTITY ent2 "&ent1;&ent1;&ent1;&ent1;&ent1;&ent1;&ent1;&ent1;">
+<!ENTITY ent3 "&ent2;&ent2;&ent2;&ent2;&ent2;&ent2;&ent2;&ent2;">
+<!ENTITY ent4 "&ent3;&ent3;&ent3;&ent3;&ent3;&ent3;&ent3;&ent3;">
+<!ENTITY ent5 "&ent4;&ent4;&ent4;&ent4;&ent4;&ent4;&ent4;&ent4;">
+<!ENTITY ent6 "&ent5;&ent5;&ent5;&ent5;&ent5;&ent5;&ent5;&ent5;">
+<!ENTITY ent7 "&ent6;&ent6;&ent6;&ent6;&ent6;&ent6;&ent6;&ent6;">
+<!ENTITY ent8 "&ent7;&ent7;&ent7;&ent7;&ent7;&ent7;&ent7;&ent7;">
+<!ENTITY ent9 "&ent8;&ent8;&ent8;&ent8;&ent8;&ent8;&ent8;&ent8;">
+<!ENTITY ent10 "&ent9;&ent9;&ent9;&ent9;&ent9;&ent9;&ent9;&ent9;">
+<!ENTITY ent11 "&ent10;&ent10;&ent10;&ent10;&ent10;&ent10;&ent10;&ent10;">
+<!ENTITY ent12 "&ent11;&ent11;&ent11;&ent11;&ent11;&ent11;&ent11;&ent11;">
+<!ENTITY ent13 "&ent12;&ent12;&ent12;&ent12;&ent12;&ent12;&ent12;&ent12;">
+]>
+<manifest:manifest xmlns:manifest="urn:oasis:names:tc:opendocument:xmlns:manifest:1.0">
+  <manifest:file-entry manifest:full-path="/" manifest:media-type="application/vnd.etsi.asic-e+zip"/>
+  <manifest:file-entry manifest:full-path="test.txt" manifest:media-type="application/octet-stream" x="&ent13;" />
+</manifest:manifest>
\ No newline at end of file
diff --git a/test/data/xml-bomb-cont.xml b/test/data/xml-bomb-cont.xml
new file mode 100644
index 000000000..82b51bb13
--- /dev/null
+++ b/test/data/xml-bomb-cont.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE lolz [
+ <!ENTITY lol "lol">
+ <!ELEMENT lolz (#PCDATA)>
+ <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+ <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
+ <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+ <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+ <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
+ <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
+ <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
+ <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
+ <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
+]>
+<SignedDoc format="DIGIDOC-XML" version="1.3" xmlns="http://www.sk.ee/DigiDoc/v1.3.0#">
+<DataFile ContentType="EMBEDDED_BASE64" Filename="test.txt" Id="D0" MimeType="text/plain" Size="4" xmlns="http://www.sk.ee/DigiDoc/v1.3.0#">&lol9;</DataFile>
+</SignedDoc>
\ No newline at end of file
diff --git a/test/libdigidocpp_boost.cpp b/test/libdigidocpp_boost.cpp
index 2adeccd16..d7be0735b 100644
--- a/test/libdigidocpp_boost.cpp
+++ b/test/libdigidocpp_boost.cpp
@@ -25,18 +25,12 @@
 #include <DataFile.h>
 #include <Signature.h>
 #include <XmlConf.h>
+#include <XMLDocument.h>
 #include <crypto/Digest.h>
 #include <crypto/PKCS12Signer.h>
 #include <crypto/X509Crypto.h>
 #include <util/DateTime.h>
 
-#include <xmlsec/xmlsec.h>
-
-constexpr auto VERSION_CHECK(int major, int minor, int patch)
-{
-    return (major<<16)|(minor<<8)|patch;
-}
-
 namespace digidoc
 {
 
@@ -590,3 +584,19 @@ BOOST_AUTO_TEST_CASE(OpenInvalidMimetypeContainer)
     BOOST_CHECK_THROW(Container::openPtr("test-invalid.asics"), Exception);
 }
 BOOST_AUTO_TEST_SUITE_END()
+
+BOOST_AUTO_TEST_SUITE(XMLTestSuite)
+BOOST_AUTO_TEST_CASE(XMLBomb)
+{
+    BOOST_CHECK_EQUAL(XMLDocument("xml-bomb-attr.xml"), false);
+    BOOST_CHECK_EQUAL(XMLDocument("xml-bomb-cont.xml"), false);
+    if(std::fstream f{"xml-bomb-attr.xml"})
+        BOOST_CHECK_THROW(XMLDocument::openStream(f), Exception);
+    if(std::fstream f{"xml-bomb-cont.xml"})
+        BOOST_CHECK_THROW(XMLDocument::openStream(f), Exception);
+    if(std::fstream f{"xml-bomb-attr.xml"})
+        BOOST_CHECK_THROW(XMLDocument::openStream(f, {}, true), Exception);
+    if(std::fstream f{"xml-bomb-cont.xml"})
+        BOOST_CHECK_THROW(XMLDocument::openStream(f, {}, true), Exception);
+}
+BOOST_AUTO_TEST_SUITE_END()