You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@flex.apache.org by cd...@apache.org on 2015/12/20 13:47:38 UTC
[08/31] flex-blazeds git commit: Fix security issue due to local
entity resolution issues in DocumentBuilder.
Fix security issue due to local entity resolution issues in DocumentBuilder.
Project: http://git-wip-us.apache.org/repos/asf/flex-blazeds/repo
Commit: http://git-wip-us.apache.org/repos/asf/flex-blazeds/commit/af405aa5
Tree: http://git-wip-us.apache.org/repos/asf/flex-blazeds/tree/af405aa5
Diff: http://git-wip-us.apache.org/repos/asf/flex-blazeds/diff/af405aa5
Branch: refs/heads/master
Commit: af405aa5974f8441873873ac6400dddc1039778e
Parents: aa98ccd
Author: Christofer Dutz <ch...@codecentric.de>
Authored: Thu Jul 23 14:18:34 2015 +0200
Committer: Christofer Dutz <ch...@codecentric.de>
Committed: Thu Jul 23 14:18:34 2015 +0200
----------------------------------------------------------------------
.../core/src/flex/messaging/util/XMLUtil.java | 8 +++++
.../BlazeDsXmlProcessingXXEVulnerability.java | 36 ++++++++++++++++++++
2 files changed, 44 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/af405aa5/modules/core/src/flex/messaging/util/XMLUtil.java
----------------------------------------------------------------------
diff --git a/modules/core/src/flex/messaging/util/XMLUtil.java b/modules/core/src/flex/messaging/util/XMLUtil.java
index d34c344..da3349e 100644
--- a/modules/core/src/flex/messaging/util/XMLUtil.java
+++ b/modules/core/src/flex/messaging/util/XMLUtil.java
@@ -123,6 +123,14 @@ public class XMLUtil
StringReader reader = new StringReader(xml);
InputSource input = new InputSource(reader);
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+
+ // Disable local resolution of entities due to security issues
+ // See: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ factory.setXIncludeAware(false);
+ factory.setExpandEntityReferences(false);
+
factory.setNamespaceAware(nameSpaceAware);
factory.setValidating(false);
DocumentBuilder builder = factory.newDocumentBuilder();
http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/af405aa5/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java
----------------------------------------------------------------------
diff --git a/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java b/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java
new file mode 100644
index 0000000..71519dc
--- /dev/null
+++ b/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java
@@ -0,0 +1,36 @@
+package flex.messaging.securityadvisories;
+
+import com.sun.org.apache.xml.internal.serialize.OutputFormat;
+import com.sun.org.apache.xml.internal.serialize.XMLSerializer;
+import flex.messaging.util.XMLUtil;
+import junit.framework.Assert;
+import junit.framework.TestCase;
+import org.w3c.dom.Document;
+
+import java.io.StringWriter;
+
+/**
+ * Created by christoferdutz on 23.07.15.
+ */
+
+public class BlazeDsXmlProcessingXXEVulnerability extends TestCase {
+
+ public void testVulnerability() throws Exception {
+ StringBuffer xml = new StringBuffer(512);
+ xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n");
+ xml.append("<!DOCTYPE foo [\r\n");
+ xml.append("<!ELEMENT foo ANY >\r\n");
+ xml.append("<!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\r\n");
+ xml.append("<foo>&xxe;</foo>");
+
+ Document data = XMLUtil.stringToDocument(xml.toString());
+
+ OutputFormat format = new OutputFormat(data);
+ StringWriter stringOut = new StringWriter();
+ XMLSerializer serial = new XMLSerializer(stringOut, format);
+ serial.serialize(data);
+
+ Assert.assertTrue(stringOut.toString().contains("&xxe;"));
+ }
+
+}