Failed test 'No XXE SSRF vulnerability in our XML handling' (Dancer-1.3514_02)

[eserte]

On some of my smokers the test suite fails:

#   Failed test 'No XXE SSRF vulnerability in our XML handling'
#   at t/14_serializer/04_request_xml.t line 134.
#          got: '4'
#     expected: '1'
# access_line: Accessed at Sat Oct  3 08:29:36 2020
# access_line: Accessed at Sat Oct  3 08:29:36 2020
# access_line: Accessed at Sat Oct  3 08:29:36 2020
# access_line: Accessed at Sat Oct  3 08:29:36 2020
# Looks like you failed 1 test of 11.
t/14_serializer/04_request_xml.t .................... 
Dubious, test returned 1 (wstat 256, 0x100)
Failed 1/11 subtests 

No statistical analysis result available. Problem is that there are is lot of optional stuff involved here (XML::Simple, probably XML::Parser, XML::SAX, XML::LibXML, additionally to system libraries like expat and libxml2, also XML::SAX's ParserDetails.ini contents may matter), and there is no information about used modules and the installed versions.

[bigpresh]

Thanks - yeah, this one is going to be fun, as you say because of the mess of optional XML parsing modules which could be in use.

I guess I'll start by adding some diagnostics to figure out what's actually being used to look for cases where this route is getting hit when it shouldn't. @skington's work to fix it looks to work in some cases, but sometimes not.

[skington]

I wouldn't bother with this fix, precisely because of all of the various possible interactions with XML libraries. At $WORK we just binned the Mutable serialiser and replaced it with JSON.

[bigpresh]

If it can be fixed, it would be nice, but if not, yeah, just documenting that allowing XML from untrusted sources carries security risks and not to use it is probably reasonable. I'll get some diagnostic output added then see what happens; if a pattern emerges and I can see a solution, I'll do it.