fix: quote XPath string literals via _xpath_safe helper#615
Merged
Conversation
Add a private _xpath_safe() helper in panos.base that wraps a value as a valid XPath 1.0 string literal: single quotes by default, double quotes when the value contains a single quote, and concat() when it contains both. Use it everywhere the SDK interpolates a value into an XPath predicate. Templates that previously embedded the surrounding quotes (e.g. "[@name='%s']") drop them; the helper now supplies the correct quoting. For inputs without quote characters the rendered XPath is byte-identical to the previous output, so existing tests asserting exact xpath strings remain green. Touched sites: - panos/base.py: ENTRY/MEMBER constants, _root_xpath_vsys, SUFFIX consumer, delete_similar joiner, vsys-dict import delete, _TEMPLATE_VSYS_XPATH, both _get_param_specific_info overloads, VersionedPanObject.XPATH, delete_import, and the three re.sub 'entry varname' sites - panos/firewall.py, panos/panorama.py, panos/userid.py, panos/network.py, panos/predefined.py: all variable interpolations into [@name=...], [@ip=...], and text()=... predicates Hardcoded literals such as entry[@name='localhost.localdomain' are unchanged.
|
Subject: Follow-up: CWE-643 XPath Injection in pan-os-python — PR #615 Hi, I’m following up on my report regarding a CWE-643 XPath Injection issue in pan-os-python (notably around panos/base.py lines 52 and 415). I noticed PR #615 (“fix: quote XPath string literals via _xpath_safe helper”), which appears to address the same class of vulnerability by introducing a centralized quoting mechanism for XPath values. Could you please confirm whether my report has been associated with this fix for triage and bounty evaluation? If helpful, I can provide additional details or validation. Thank you for your time and for the prompt remediation work. Best regards, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
_xpath_safe()helper inpanos.basethat wraps a value as an XPath 1.0 string literal, picking the appropriate quote character (and falling back toconcat()for values containing both quote types).panos/base.py,panos/firewall.py,panos/network.py,panos/panorama.py,panos/predefined.py, andpanos/userid.py. TheENTRYandMEMBERconstants drop their literal'…'wrapping; the helper supplies it.Test plan
pytest tests/— full existing suite passestests/test_vsys_xpaths.py,tests/test_device_profile_xpaths.py,tests/test_base.py,tests/test_versioning.py, andtests/test_predefined.pyall green_root_xpath_vsys,delete_similar, and_TEMPLATE_VSYS_XPATHsubstitution