Impact of encoding/xml vulns

[licaon-kter]

Ref: https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

[Neustradamus]

From @mdosch:

FYI

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md
https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-elements.md

[ortuman]

Sorry, but I think I'm missing some context here. How these vulnerabilities are supposed to affect the project?

[licaon-kter]

It affects go stuff that processes xml, jackal does this, maybe it's too.

It's more a heads-up, you'd need to analyze if your useage is impacted or not.

[PaluMacil]

If there is no security concern related to the ordering of attributes and elements, I don't believe these types of vulnerabilities affect the project. Basically, there is no way to ensure deterministic ordering between a struct and xml doc through round trips. There are third party libraries which may be discussed in that blog post, if I recall, which can help this, but my guess is that this is not necessary unless you have some of the same concerns as projects like SAML which I believe is where this was identified as an issue.