You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@eagle.apache.org by Michael Wu <mc...@gmail.com> on 2016/02/04 06:22:08 UTC
[Need to Fix] 2 security flaws scanned out by fortify
Hi team,
I used fortify client to scan ealge's code and it reported 2 major security
issues, I list them as below, please take a look and consider fixing them.
They are:
1. At org.apache.eagle.jobrunning.crawler.XmlHelper:41, XML parser
configured at this position does not prevent nor limit external entities
resolution, this can expose the parser to an XML External Entities attack.
*>> Explanation of the issue:*
- *XML External Entities attacks benefit from an XML feature to build
documents dynamically at the time of processing. An XML entity allows
inclusion of data dynamically from a given resource. External entities
allow an XML document to include data from an external URI. Unless
configured to do otherwise, external entities force the XML parser to
access the resource specified by the URI, e.g., a file on the local machine
or on a remote system. This behavior exposes the application to XML
External Entity (XXE) attacks, which can be used to perform denial of
service of the local system, gain unauthorized access to files on the local
machine, scan remote machines, and perform denial of service of remote
systems.*
- *The following XML document shows an example of an XXE attack.*
*****************************
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
*****************************
- *This example could crash the server (on a UNIX system), if the XML
parser attempts to substitute the entity with the contents of the
/dev/random file.*
*>> Solving recommendation:*
- *The XML unmarshaller should be configured securely so that it does
not allow external entities as part of an incoming XML document.*
- *To avoid XXE injection do not use unmarshal methods that process an
XML source directly as java.io.File, java.io.Reader or java.io.InputStream.
Parse the document with a securely configured parser and use an unmarshal
method that takes the secure parser as the XML source as shown in the
following example:*
**********************
// suppose we've got Unmarshaller instance referenced by unmarshaller
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setExpandEntityReferences(false);
DocumentBuilder db = dbf.newDocumentBuilder();
Document document = db.parse(<XML Source>);
Model model = (Model) unmarshaller.unmarshal(document);
**********************
2. At org.apache.eagle.service.security.pwdgen.PasswordEncoderGenerator:23
and :26, there are hardcoded password and println(hashedPassword) clause
that violating the security rules.
*>> Solving recommendation: *
- *For the clauses are in a "main" method for testing, and that main
method is the only method in the class, maybe we can delete the class or
remove the main method from the class.*
Thanks,
Michael