You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@eagle.apache.org by Michael Wu <mc...@gmail.com> on 2016/02/04 06:22:08 UTC

[Need to Fix] 2 security flaws scanned out by fortify

Hi team,

I used fortify client to scan ealge's code and it reported 2 major security
issues, I list them as below, please take a look and consider fixing them.

They are:
1. At org.apache.eagle.jobrunning.crawler.XmlHelper:41, XML parser
configured at this position does not prevent nor limit external entities
resolution, this can expose the parser to an XML External Entities attack.
*>> Explanation of the issue:*

   - *XML External Entities attacks benefit from an XML feature to build
   documents dynamically at the time of processing. An XML entity allows
   inclusion of data dynamically from a given resource. External entities
   allow an XML document to include data from an external URI. Unless
   configured to do otherwise, external entities force the XML parser to
   access the resource specified by the URI, e.g., a file on the local machine
   or on a remote system. This behavior exposes the application to XML
   External Entity (XXE) attacks, which can be used to perform denial of
   service of the local system, gain unauthorized access to files on the local
   machine, scan remote machines, and perform denial of service of remote
   systems.*
   - *The following XML document shows an example of an XXE attack.*

*****************************
<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>

*****************************


   - *This example could crash the server (on a UNIX system), if the XML
   parser attempts to substitute the entity with the contents of the
   /dev/random file.*

*>> Solving recommendation:*

   - *The XML unmarshaller should be configured securely so that it does
   not allow external entities as part of an incoming XML document.*
   - *To avoid XXE injection do not use unmarshal methods that process an
   XML source directly as java.io.File, java.io.Reader or java.io.InputStream.
   Parse the document with a securely configured parser and use an unmarshal
   method that takes the secure parser as the XML source as shown in the
   following example:*

**********************
// suppose we've got Unmarshaller instance referenced by unmarshaller
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
DocumentBuilder db = dbf.newDocumentBuilder();
Document document = db.parse(<XML Source>);
Model model = (Model) unmarshaller.unmarshal(document);
**********************


2. At org.apache.eagle.service.security.pwdgen.PasswordEncoderGenerator:23
and :26, there are hardcoded password and println(hashedPassword) clause
that violating the security rules.
*>> Solving recommendation: *

   - *For the clauses are in a "main" method for testing, and that main
   method is the only method in the class, maybe we can delete the class or
   remove the main method from the class.*


Thanks,
Michael