category_fetcher: reject XML responses with DOCTYPE/ENTITY declarations

User-configurable sites could send XXE or billion-laughs payloads via tag category API responses. Reject any XML body containing <!DOCTYPE or <!ENTITY before passing to ET.fromstring.
2026-04-12 14:55:30 -05:00 · 2026-04-12 14:55:30 -05:00 · ad6f876f40
commit ad6f876f40
parent 56c5eac870
1 changed files with 3 additions and 0 deletions
--- a/booru_viewer/core/api/category_fetcher.py
+++ b/booru_viewer/core/api/category_fetcher.py
@ -593,6 +593,9 @@ def _parse_tag_response(resp) -> list[tuple[str, int]]:
        return []
    out: list[tuple[str, int]] = []
    if body.startswith("<"):
+        if "<!DOCTYPE" in body or "<!ENTITY" in body:
+            log.warning("XML response contains DOCTYPE/ENTITY, skipping")
+            return []
        try:
            root = ET.fromstring(body)
        except ET.ParseError as e: