You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-users@xerces.apache.org by Thomas Leplus <th...@gmail.com> on 2020/10/13 16:32:10 UTC
Properly configure SchemaFactory to prevent XEE attacks via the
document being validated
Hello,
I am trying to create a utility method to build a SchemaFactory configured
out-of-the-box to handle XML External Entity (XEE) attacks. The goal is to
have a centralized factory that takes care of all the configuration in a
single place.
I am currently doing this:
SchemaFactory sf = SchemaFactory.newInstance(schemaLanguage);
sf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
sf.setFeature("http://apache.org/xml/features/disallow-doctype-decl",
true);
The idea is to disable all DTDs (which is OK in my case). But when I try
the following test:
public static final String VALID_XML_SCHEMA
= "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<xs:schema xmlns:xs=\"http://www.w3.org/2001/XMLSchema\">"
+ " <xs:element name=\"note\"/>"
+ "</xs:schema>";
public static final String VALID_XML_DOC_WITH_EXTERNAL_GENERAL_ENTITY
= "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
+ "<!DOCTYPE note ["
+ " <!ELEMENT note ANY >"
+ " <!ENTITY space SYSTEM \"note.dtd\">"
+ "]>"
+ "<note>&space;</note>";
...
SchemaFactory factory =
SecureXML.createSchemaFactory(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = factory.newSchema(new StreamSource(new
ByteArrayInputStream(VALID_XML_SCHEMA.getBytes())));
Validator validator = schema.newValidator();
validator.validate(new StreamSource(new
ByteArrayInputStream(VALID_XML_DOC_WITH_EXTERNAL_GENERAL_ENTITY.getBytes())));
I get the following exception:
java.io.FileNotFoundException: note.dtd (No such file or directory)
Which means the DTD is not ignored and so the XEE vulnerability is still
there. Note that XXE attempts in the XSD itself seem to be thwarted.
I have tried the various approaches listed on the OWASP XEE cheatsheet (
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html)
but as far as I can tell, none of them work with Xerces2.
Here is my complete pom.xml for reference:
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>org.leplus.infsec</groupId>
<artifactId>xee</artifactId>
<version>0.0.1-SNAPSHOT</version>
<packaging>jar</packaging>
<name>xee</name>
<url>http://maven.apache.org</url>
<properties>
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
</properties>
<dependencies>
<dependency>
<groupId>xalan</groupId>
<artifactId>xalan</artifactId>
<version>2.7.2</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.12.0</version>
<scope>runtime</scope>
</dependency>
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
<scope>test</scope>
</dependency>
</dependencies>
</project>
I have also created a GitHub project (https://github.com/thomasleplus/xee)
with all my source code and JUnit test case if someone want to
reproduce/test the issue. I have also created a GitHub project (
https://github.com/thomasleplus/xee) with all my source code and JUnit test
case if someone wants to reproduce/test the issue.
Thank you in advance for any help you can provide,
Tom