Fix DO04 dead rule by dropping handlesResources from its condition#335
Open
arpitjain099 wants to merge 1 commit into
Open
Fix DO04 dead rule by dropping handlesResources from its condition#335arpitjain099 wants to merge 1 commit into
arpitjain099 wants to merge 1 commit into
Conversation
…ondition DO04 (XML Entity Expansion) targets Dataflow, but its condition also read target.handlesResources, an attribute that only exists on Asset subclasses. For any XML Dataflow the lookup raised AttributeError, which the broad except Exception in Threat.apply swallowed and turned into False, so DO04 never fired on the very flows it is meant to flag. Drop the handlesResources clause, leaving the format check that matches the threat description. Also remove the test line that injected handlesResources onto a Dataflow, which had been masking the bug. Fixes OWASP#272 Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #272.
DO04 ("XML Entity Expansion") targets Dataflow, but its condition also reads target.handlesResources, which only exists on Asset subclasses, not on a plain Dataflow. So for any XML dataflow the lookup raises AttributeError, and the broad
except Exception: return Falsein Threat.apply swallows it into a False. The rule has been silently dead, never firing on the flows it's meant to flag.Per @raphaelahrens' suggestion in the issue, I dropped the
and target.handlesResources is Falseclause so the condition is justany(d.format == 'XML' for d in target.data), which matches the threat's description. I also removed thehandlesResources = Falseline in test_DO04, since that assignment was injecting the missing attribute and masking the bug.Tested on Python 3.13: the issue repro now flags DO04,
pytest -k DO04passes, and the full suite (243 tests) is green.Heads-up: #328 reworks the threat library into Python classes, so if it lands first this'll need a small rebase. Happy to redo it whichever way is easier. Thanks for taking a look.