You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flex.apache.org by cd...@apache.org on 2015/12/20 13:47:38 UTC

[08/31] flex-blazeds git commit: Fix security issue due to local entity resolution issues in DocumentBuilder.

Fix security issue due to local entity resolution issues in DocumentBuilder.


Project: http://git-wip-us.apache.org/repos/asf/flex-blazeds/repo
Commit: http://git-wip-us.apache.org/repos/asf/flex-blazeds/commit/af405aa5
Tree: http://git-wip-us.apache.org/repos/asf/flex-blazeds/tree/af405aa5
Diff: http://git-wip-us.apache.org/repos/asf/flex-blazeds/diff/af405aa5

Branch: refs/heads/master
Commit: af405aa5974f8441873873ac6400dddc1039778e
Parents: aa98ccd
Author: Christofer Dutz <ch...@codecentric.de>
Authored: Thu Jul 23 14:18:34 2015 +0200
Committer: Christofer Dutz <ch...@codecentric.de>
Committed: Thu Jul 23 14:18:34 2015 +0200

----------------------------------------------------------------------
 .../core/src/flex/messaging/util/XMLUtil.java   |  8 +++++
 .../BlazeDsXmlProcessingXXEVulnerability.java   | 36 ++++++++++++++++++++
 2 files changed, 44 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/af405aa5/modules/core/src/flex/messaging/util/XMLUtil.java
----------------------------------------------------------------------
diff --git a/modules/core/src/flex/messaging/util/XMLUtil.java b/modules/core/src/flex/messaging/util/XMLUtil.java
index d34c344..da3349e 100644
--- a/modules/core/src/flex/messaging/util/XMLUtil.java
+++ b/modules/core/src/flex/messaging/util/XMLUtil.java
@@ -123,6 +123,14 @@ public class XMLUtil
                 StringReader reader = new StringReader(xml);
                 InputSource input = new InputSource(reader);
                 DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+
+                // Disable local resolution of entities due to security issues
+                // See: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+                factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+                factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+                factory.setXIncludeAware(false);
+                factory.setExpandEntityReferences(false);
+
                 factory.setNamespaceAware(nameSpaceAware);
                 factory.setValidating(false);
                 DocumentBuilder builder = factory.newDocumentBuilder();

http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/af405aa5/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java
----------------------------------------------------------------------
diff --git a/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java b/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java
new file mode 100644
index 0000000..71519dc
--- /dev/null
+++ b/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java
@@ -0,0 +1,36 @@
+package flex.messaging.securityadvisories;
+
+import com.sun.org.apache.xml.internal.serialize.OutputFormat;
+import com.sun.org.apache.xml.internal.serialize.XMLSerializer;
+import flex.messaging.util.XMLUtil;
+import junit.framework.Assert;
+import junit.framework.TestCase;
+import org.w3c.dom.Document;
+
+import java.io.StringWriter;
+
+/**
+ * Created by christoferdutz on 23.07.15.
+ */
+
+public class BlazeDsXmlProcessingXXEVulnerability extends TestCase {
+
+    public void testVulnerability() throws Exception {
+        StringBuffer xml = new StringBuffer(512);
+        xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n");
+        xml.append("<!DOCTYPE foo [\r\n");
+        xml.append("<!ELEMENT foo ANY >\r\n");
+        xml.append("<!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\r\n");
+        xml.append("<foo>&xxe;</foo>");
+
+        Document data = XMLUtil.stringToDocument(xml.toString());
+
+        OutputFormat format = new OutputFormat(data);
+        StringWriter stringOut = new StringWriter();
+        XMLSerializer serial = new XMLSerializer(stringOut, format);
+        serial.serialize(data);
+
+        Assert.assertTrue(stringOut.toString().contains("&xxe;"));
+    }
+
+}