MAINT: Document and test XMP security

Author: stefan6419846

.github/SECURITY.md

@@ -12,9 +12,11 @@ automatically inform all relevant team members. Otherwise, please
 get in touch with stefan6419846 through e-mail (current maintainer,
 address in GitHub profile).
 
+Please have a look at our [corresponding user documentation](https://pypdf.readthedocs.io/en/stable/user/security.html)
+as well, which includes some information about possibly invalid reports as well.
+
 We will try to find a fix in a timely manner and will then issue a security
-advisory together with the update via GitHub
+advisory together with the update via GitHub, as well as requesting a CVE
 ([example](https://github.com/py-pdf/pypdf/security/advisories/GHSA-xcjx-m2pj-8g79)).
 
-If you don't get a reaction within 30 days, please open a public issue on
-GitHub.
+If you do not get a reaction within 30 days, please open a public issue on GitHub.

docs/user/security.md

@@ -56,3 +56,15 @@ We receive reports about possibly insecure cryptography from time to time. This
 
 These are requirements of the PDF standard, which we need to achieve the greatest compatibility with.
 Although some of them might be deprecated in PDF 2.0, the PDF 2.0 adoption rate is very low and legacy documents need to be supported.
+
+### XML parsing
+
+We use `xml.minidom` for parsing XMP information. Given recent Python versions built against recent Expat versions, the usual attacks
+(exponential entity expansion and external entity expansion) should not be possible. We have corresponding tests in place to ensure
+this for the platforms our tests run against.
+
+For some details, see [the official documentation](https://docs.python.org/3/library/xml.html#xml-security) and the
+[README for defusedxml](https://github.com/tiran/defusedxml/blob/main/README.md#python-xml-libraries).
+
+Please note that automated scanners tend to still flag any direct imports of XML modules from the Python standard library as unsafe.
+There have been discussions about this being outdated already, but they are still being flagged.

tests/test_xmp.py

@@ -8,7 +8,7 @@
 import pypdf.xmp
 from pypdf import PdfReader, PdfWriter
 from pypdf.errors import PdfReadError, XmpDocumentError
-from pypdf.generic import NameObject, StreamObject
+from pypdf.generic import ContentStream, NameObject, StreamObject
 from pypdf.xmp import XmpInformation
 
 from . import RESOURCE_ROOT, SAMPLE_ROOT, get_data_from_url
@@ -887,3 +887,57 @@ def test_xmp_information__create_and_set_metadata():
     assert xmp.dc_contributor == ["test1"]
     assert xmp.dc_creator == ["test2"]
     assert xmp.dc_title == {"x-default": "test3"}
+
+
+def test_xmp_information__external_entity_expansion(tmpdir):
+    path = tmpdir / "secret.txt"
+    path.write("VERY SECRET")
+
+    stream = ContentStream(pdf=None, stream=None)
+    stream.set_data(f"""<?xml version="1.0"?>
+<!DOCTYPE foo [
+  <!ENTITY xxe SYSTEM "file://{path}">
+]>
+<x:xmpmeta xmlns:x="adobe:ns:meta/">
+  <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+    <rdf:Description rdf:about="">
+      <dc:creator xmlns:dc="http://purl.org/dc/elements/1.1/">&xxe;abc</dc:creator>
+    </rdf:Description>
+  </rdf:RDF>
+</x:xmpmeta>""".encode())
+
+    xmp = XmpInformation(stream)
+    assert xmp.dc_creator == ["abc"]
+
+
+@pytest.mark.timeout(10)
+def test_xmp_information__exponential_entity_expansion():
+    stream = ContentStream(pdf=None, stream=None)
+    stream.set_data(b"""<?xml version="1.0"?>
+<!DOCTYPE lolz [
+  <!ENTITY lol "lol">
+  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
+  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
+  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
+  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
+  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
+  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
+  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
+  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
+]>
+<x:xmpmeta xmlns:x="adobe:ns:meta/">
+  <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+    <rdf:Description rdf:about="">
+      <dc:title xmlns:dc="http://purl.org/dc/elements/1.1/">&lol9;</dc:title>
+    </rdf:Description>
+  </rdf:RDF>
+</x:xmpmeta>""")
+
+    with pytest.raises(
+            expected_exception=PdfReadError,
+            match=(
+                r"^XML in XmpInformation was invalid: limit on input amplification factor "
+                r"\(from DTD and entities\) breached: line 16, column 60$"
+            )
+    ):
+        XmpInformation(stream)