使用 Perl XML::Simple 解析带有命名空间的 xml

【问题标题】:Parsing xml with namespace using Perl XML::Simple使用 Perl XML::Simple 解析带有命名空间的 xml
【发布时间】:2013-02-01 02:37:48
【问题描述】:

所有,我真的可以在这里使用一些帮助。我的最终目标是能够使用 perl 读取 xml 文件并将其插入数据库以跟踪 CVE。在这个阶段,如果我可以在我的代码中引用 XML 文件中的变量,我确信我可以将它插入到数据库中。现在我要做的就是将它打印到屏幕上,但我无法让它工作。

这是我的简单代码和 XML 文件。

希望有人可以带我去这里。

--Perl 代码开始--

#!/usr/bin/perl

# use module
use XML::Simple;
use Data::Dumper;

# create object
xml = new XML::Simple (KeyAttr=>[]);

# read XML file
#$data = $xml->XMLin("tms.xml");

# print output - used this to see if it was even reading it
#print Dumper($data);

# access XML data
print "Here is the BugTrackID: $data->{'x:BugTraqID'}\n";

--perl 代码结束--

--xml的开始--

<?xml version="1.0" encoding="us-ascii"?>
<Alerts xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:alerts.symantec.com https://alerts.symantec.com/vulalert.xsd">
<x:AlertDocument xmlns:x="urn:alerts.symantec.com" AlertStatusID="57982" Type="1" DetailLevel="25" Language="1">
<x:BugTraqID>57982</x:BugTraqID>
<x:Title>Sonar Multiple Cross Site Scripting Vulnerabilities</x:Title>
<x:StatusID>1</x:StatusID>
<x:CVE>CVE-MAP-NOMATCH</x:CVE>
<x:Published>Feb 12 2013</x:Published>
<x:LastUpdated>2013-02-15T19:03:48</x:LastUpdated>
<x:Remote>Yes</x:Remote>
<x:Local>No</x:Local>
<x:Credibility>Single Source</x:Credibility>
<x:Classification>Input Validation Error</x:Classification>
<x:Availability>User Initiated</x:Availability>
<x:Ease>Exploit Available</x:Ease>
<x:Authentication>Not Required</x:Authentication>
<x:CVSS2_BaseScore>5.8</x:CVSS2_BaseScore>
<x:CVSS2_TemporalScore>5</x:CVSS2_TemporalScore>
<x:CVSS2_BaseVector>AV:N/AC:M/Au:N/C:P/I:P/A:N</x:CVSS2_BaseVector>
<x:CVSS2_TemporalVector>E:F/RL:U/RC:UC</x:CVSS2_TemporalVector>
<x:CVSS1_BaseScore>3.7</x:CVSS1_BaseScore>
<x:CVSS1_TemporalScore>3.2</x:CVSS1_TemporalScore>
<x:NVD_CVSS2_BaseScore>4.3</x:NVD_CVSS2_BaseScore>
<x:NVD_CVSS2_ComponentString>AV:N/AC:M/Au:N/C:N/I:P/A:N</x:NVD_CVSS2_ComponentString>
<x:ImpactRating>4</x:ImpactRating>
<x:Severity>6.1</x:Severity>
<x:EaseofExploit>8</x:EaseofExploit>
<x:UrgencyRating>6.1</x:UrgencyRating>
<x:LastChange>Initial analysis.</x:LastChange>
<x:VulnerableSystems>
  <x:VulnerableSystem>
    <x:Title><![CDATA[SonarSource Sonar 3.4.1 cpe:/a:sonarsource:sonar:3.4.1 SYMC]]></x:Title>
  </x:VulnerableSystem>
</x:VulnerableSystems>
<x:ShortSummary><![CDATA[Sonar is prone to multiple cross-site scripting vulnerabilities.]]></x:ShortSummary>
<x:Impact>An attacker may leverage these issues to   execute arbitrary script code in the browser of an unsuspecting user in   the context of the affected site. This may allow the attacker to steal   cookie-based authentication credentials and launch other attacks.</x:Impact>
<x:TechnicalDescription><![CDATA[Sonar is the open source platform for code quality inspection.         

The application is prone to multiple  cross-site scripting vulnerabilities because it fails to sanitize  user-supplied input submitted to the following scripts and parameters:     

&apos;index.php  &apos; : &apos;search&apos;,   &apos;assignee_login&apos;,      
&apos;author_login&apos;     
&apos;sources.php&apos; :  &apos;resource&apos;     

An attacker may leverage these issues to  execute arbitrary script code in the browser  of an unsuspecting user in  the context of the affected site. This may allow the attacker to steal  cookie-based authentication credentials and launch other attacks.                                                 

Sonar 3.4.1 is vulnerable; other versions may also be affected.]]>  
</x:TechnicalDescription>
<x:AttackScenario><![CDATA[1. An attacker scans for and locates a site running the affected application.      

2. The attacker crafts a URI link that includes malicious script code designed to leverage one of these issues.      

3. The attacker uses email or other means to distribute the malicious link and entices an unsuspecting user to follow it.      

4. When the user follows the link, the attacker-specified script code runs in their browser in the context of the affected site.       

A successful exploit may let the attacker steal cookie-based authentication credentials and launch other attacks.]]></x:AttackScenario>
<x:Exploit><![CDATA[Attackers can exploit these issues by enticing an unsuspecting victim into following a malicious URI.         

The following example URIs are available: 

http://www.example.com/dependencies/index?   search="&amp;gt;&amp;lt;script&amp;gt;alert(/devilteam.pl/)&amp;lt;/script&amp;gt; 

http://www.example.com/dashboard/index/41730? did=4&amp;amp;period=3"&amp;gt;&amp;lt;script&amp;gt;alert(/devilteam.pl/)&amp;lt;/script&am p;gt; 

http://www.example.com/reviews/index?review_id=&amp;amp;statuses[]=OPEN&amp;amp;statuses[]=REOPENED&amp;amp;severities[]=&amp;amp;projects[]=&amp;amp;amp;author_login=&amp;amp;assignee_login="&amp;gt;&amp;lt;script&amp;gt;alert(/devilteam.pl/)&amp;lt;/script&amp;gt;&amp;amp;false_positives=without&amp;amp;sort=&amp;amp;asc=false&amp;amp;commit=Search 

http://www.example.com/reviews/index?review_id=&amp;amp;statuses[]=OPEN&amp;amp;statuses[]=REOPENED&amp;amp;severities[]=&amp;amp;projects[]=&amp;amp;amp;author_login="&amp;gt;&amp;lt;script&amp;gt;alert(/devilteam.pl/)&amp;lt;/script&amp;gt;&amp;amp;assignee_login=&amp;amp;false_positives=without&amp;amp;sort=&amp;amp;asc=false&amp;amp;commit=Search 

http://www.example.com/api/sources?resource=&amp;lt;script&amp;gt;alert(/devilteam.pl/)&amp;lt;/script&amp;gt;&amp;amp;format=txt

]]></x:Exploit>
<x:MitigatingStrategies>
  <x:MitigatingStrategy>
    <x:Title><![CDATA[Block external access at the network boundary, unless external parties require service.]]></x:Title>
    <x:Description><![CDATA[If global access isn&apos;t needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.]]></x:Description>
  </x:MitigatingStrategy>
  <x:MitigatingStrategy>
    <x:Title><![CDATA[Run all software as a nonprivileged user with minimal access rights.]]></x:Title>
    <x:Description><![CDATA[Attackers may successfully exploit client flaws in the browser through cross-site scripting vulnerabilities. When possible, run client software as regular user accounts with limited access to system resources. This may limit the immediate consequences of client-side vulnerabilities. ]]></x:Description>
  </x:MitigatingStrategy>
  <x:MitigatingStrategy>
    <x:Title><![CDATA[Do not follow links provided by unknown or untrusted sources.]]></x:Title>
    <x:Description><![CDATA[Web users should be cautious about following links to websites that are provided by unfamiliar or suspicious sources. Filtering HTML from emails may help remove a possible vector for transmitting malicious links to users. ]]></x:Description>
  </x:MitigatingStrategy>
  <x:MitigatingStrategy>
    <x:Title><![CDATA[Set web browser security to disable the execution of script code or active content.]]></x:Title>
    <x:Description><![CDATA[Since exploiting cross-site scripting issues often requires malicious script code to run in browsers, consider disabling script code and active content support within a client browser as a way to prevent a successful exploit. Note that this mitigation tactic might adversely affect legitimate sites that rely on the execution of browser-based script code. ]]></x:Description>
  </x:MitigatingStrategy>
</x:MitigatingStrategies>
<x:Solutions>
  <x:Workaround><![CDATA[Workaround
]]></x:Workaround>
  <x:Solution><![CDATA[Currently, we are not aware of any vendor-supplied patches. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.]]></x:Solution>
</x:Solutions>
<x:Credit>DevilTeam</x:Credit>
<x:ChangeLogs>
  <x:ChangeLog>
    <x:Title><![CDATA[2013.02.15: Initial analysis.]]></x:Title>
  </x:ChangeLog>
</x:ChangeLogs>
<x:References>
  <x:Reference>
    <x:Title><![CDATA[Web Page:Sonar Homepage (SonarSource) SonarSource]]></x:Title>
    <x:URL><![CDATA[http://www.sonarsource.com/products/software/sonar/]]></x:URL>
    <x:Description><![CDATA[http://www.sonarsource.com/products/software/sonar/]]></x:Description>
  </x:Reference>
  <x:Reference>
    <x:Title><![CDATA[Web Page:Sonar v.3.4.1 =&amp;gt; XSS (CWE-79) (DevilTeam) DevilTeam]]></x:Title>
    <x:URL><![CDATA[http://cxsecurity.org/issue/WLB-2013020088]]></x:URL>
    <x:Description><![CDATA[http://cxsecurity.org/issue/WLB-2013020088]]></x:Description>
  </x:Reference>
</x:References>
<x:URL>https://alerts.symantec.com/loaddocument.aspx?GUID=cffd18f0-7b75-4c6a-adc0-74f480808fff</x:URL>
<x:OVALDefinitions />
</x:AlertDocument>
</Alerts>

--xml结束---

【问题讨论】:

  • 你有什么问题?
  • 您提到了命名空间。 XML::Simple 了解命名空间和前缀。它只是假设前缀是节点名称的一部分。 “XML::Simple,您可以使用的最复杂的 XML 解析器。”
  • 我无法让它输出任何值。具体来说,我只是想让它从 xml 文件中打印 bugtraqid 值。它回来为空。
  • 我可以使用更好的东西吗?我真正需要做的就是读取文件并将其中一些标签存储在数据库中。
  • 我更喜欢 XML::LibXML。查看我的更新。

标签: xml perl parsing


【解决方案1】:

你在寻找$data-&gt;{'x:AlertDocument'}{'x:BugTraqID'}吗?

我更喜欢 XML::LibXML。无论文档中使用什么前缀(如果有),以下内容都将起作用。 (您永远不必关心文档中使用的前缀。)

#!/usr/bin/perl

use strict;
use warnings;

use XML::LibXML               qw( );
use XML::LibXML::XPathContext qw( );

my $parser = XML::LibXML->new();
my $doc = $parser->parse_file("tms.xml");

my $xpc = XML::LibXML::XPathContext->new($doc);
$xpc->registerNs(x => 'urn:alerts.symantec.com');

for my $alert_doc ($xpc->findnodes('/Alerts/x:AlertDocument')) {
   my ($bug_traq_id) = $xpc->findnodes('x:BugTraqID', $alert_doc);
   print $bug_traq_id->textContent(), "\n";
}

【讨论】:

  • 我仍然没有返回任何值。我明白了:这是 CVE:
  • 我在发布之前进行了测试。您测试中的某些内容与您发布的内容不同。
  • 或者您的 XML::Simple 使用了损坏的 XML 解析器? XML::Simple 实际上不是解析器;它只是众多解析器之一的前端。
  • 我想知道我的解析器是否安装不正确。你得到输出?这简直要了我的命。
  • 哦,是的,我必须将xml 更改为$xml 并将#$data 更改为$data。您发布的内容甚至无法编译。
【解决方案2】:

您的 XML 没有目标命名空间。这不是问题,但您必须考虑到这一点。

您可以指定 XML::Simple 将使用哪个解析器。

这是一个代码示例,XML::Simple 可以得到您期望的结果。

tvnshack$ ./a.pl 
Trying bugtrack.xml ... bugtrack.xml is indeed valid
 BugTrackID is: 57982

代码如下...可根据您的喜好进行调整(它基于我在生产中使用的一些实时代码)。

#!/opt/perl/bin/perl -w

use strict;
use XML::Simple qw(:strict);
use Data::Dumper;

# Supported namespaces
my $nspcBUGT = 'urn:alerts.symantec.com';
my $parsingfailed = 0;
my $XMLdata;

my $XMLfname = 'bugtrack.xml';

  print STDOUT "Trying $XMLfname ... ";

  $XML::Simple::PREFERRED_PARSER = 'XML::SAX::Expat';
  my $simpleCstr = XML::Simple->new(
    Cache => [ 'memshare' ],
    KeyAttr => [],
    ForceArray => 1,
    KeepRoot => 1,
    ContentKey => 'value',
    NSExpand => 1,
    NormaliseSpace => 1);
  eval {
    $parsingfailed++;
    # if the parsing fails, the module will terminate the process abruptly. 
    $XMLdata = $simpleCstr->XMLin($XMLfname);
    # This line of code will not be executed, leaving $parsingfailed>0.
    $parsingfailed = 0;
  };
  if ( $parsingfailed > 0) {
    print STDERR "Error: That XML file <$XMLfname> can not be read, does not exist or is not a valid XML file (possible wrong namespace too).\n";
  } else {
    if (defined($XMLdata->{"Alerts"})) {
      print STDOUT "$XMLfname is indeed valid\n";
      print STDOUT " BugTrackID is: " . $XMLdata->{'Alerts'}->[0]->{"{$nspcBUGT}AlertDocument"}->[0]->{"{$nspcBUGT}BugTraqID"}->[0] . "\n";
      #  print Dumper($XMLdata) . "\n";
    }
  }

__END__

【讨论】:

  • 我想知道谁以及为什么这个贡献被投反对票,并讨论一下。我从事实中学到了在生产中运行此代码的长期经验。我保证任何不采取上述预防措施的人迟早都会遇到问题。我可能是错的,或者不是详尽无遗的。这需要讨论。
猜你喜欢
  • 2023-03-12
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2012-06-09
  • 2010-09-12
  • 2014-07-28
  • 1970-01-01
  • 1970-01-01
相关资源
最近更新 更多
热门标签
Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode