From c8e1efecdb894cb1cb4081b032778c41a9f05b2a Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Thu, 21 Jan 2021 17:46:21 -0500
Subject: [PATCH] Mitigate XML parse risks

The intended xml never has !entity tags and
thus we can reject any such XML outright and
avoid billion laughs and similar abuses.
---
 confluent_server/confluent/discovery/handlers/smm.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/confluent_server/confluent/discovery/handlers/smm.py b/confluent_server/confluent/discovery/handlers/smm.py
index 3ef79ef3..a96eb410 100644
--- a/confluent_server/confluent/discovery/handlers/smm.py
+++ b/confluent_server/confluent/discovery/handlers/smm.py
@@ -27,7 +27,12 @@ import confluent.netutil as netutil
 import confluent.util as util
 getaddrinfo = eventlet.support.greendns.getaddrinfo
 
-from xml.etree.ElementTree import fromstring
+from xml.etree.ElementTree import fromstring as rfromstring
+
+def fromstring(inputdata):
+    if '!entity' in inputdata.lower():
+        raise Exception('!ENTITY not supported in this interface')
+    return rfromstring(inputdata)
 
 def fixuuid(baduuid):
     # SMM dumps it out in hex