You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@xmlbeans.apache.org by Christian Möller <dc...@gmx.de> on 2008/12/02 13:31:31 UTC
Question regarding suggested way to prevent XML bomb
Hi,
I've read the following article describing the so called "XML bomb":
http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302558&psrc=CLT_92
Now I'm asking myself if my XMLBeans based code is vulnerable. After
writing a simple test the answer is "definetly yes", OutOfMemoryError
arises when parsing the following XML:
<?xml version='1.0'?>
<!DOCTYPE versions [
<!ENTITY x0 'xml-entity-bomb'>
<!ENTITY x1 '&x0;&x0;&x0;&x0;'>
<!ENTITY x2 '&x1;&x1;&x1;&x1;'>
<!ENTITY x3 '&x2;&x2;&x2;&x2;'>
<!ENTITY x4 '&x3;&x3;&x3;&x3;'>
<!ENTITY x5 '&x4;&x4;&x4;&x4;'>
<!ENTITY x6 '&x5;&x5;&x5;&x5;'>
<!ENTITY x7 '&x6;&x6;&x6;&x6;'>
<!ENTITY x8 '&x7;&x7;&x7;&x7;'>
<!ENTITY x9 '&x8;&x8;&x8;&x8;'>
<!ENTITY x10 '&x9;&x9;&x9;&x9;'>
]>
<versions xmlns='urn:ietf:params:xml:ns:iris-transport'>
<transferProtocol protocolId='iris.lwz1'>
<application protocolId='urn:ietf:params:xml:ns:iris1'>
<dataModel protocolId='&x10;' />
</application>
</transferProtocol>
</versions>
The next question is how to prevent it. Any recommendations?
Thanks and regards
Christian
PS: I've also read the XMLBeans Javadoc stating "By default, XmlBeans
does not resolve entities when parsing xml documents (unless an explicit
entity resolver is specified)."
http://xmlbeans.apache.org/docs/2.4.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver()
I do not have set any kind of entity resolver, so this seems to
contradict my experiences ... what's going wrong here?
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@xmlbeans.apache.org
For additional commands, e-mail: user-help@xmlbeans.apache.org
RE: Question regarding suggested way to prevent XML bomb
Posted by Radu Preotiuc-Pietro <ra...@oracle.com>.
Ok, that's the kind of thing I had in mind. Unfortunately, Piccolo doesn't support the SecurityManager option, so you have to use a different parser (like you did). Yes, you won't be able to parse the document, but on the other hand, if the document was sent by an attacker, you don't care.
Radu
> -----Original Message-----
> From: Christian Möller [mailto:dcmoeller@gmx.de]
> Sent: Wednesday, December 03, 2008 3:32 AM
> To: user@xmlbeans.apache.org
> Subject: Re: Question regarding suggested way to prevent XML bomb
>
> Radu Preotiuc-Pietro schrieb:
> > Yes, the question is how to disable DTDs. I have looked a
> bit through Piccolo's source code and haven't found a way. If
> anyone knows of how to do it for a particular parser and
> could post the info, that would be great. Then, Christian,
> you can use that particular parser with XMLBeans and you will be fine.
>
> Hi Radu,
>
> I've found a kind of solution by setting a XMLReader
> explicitely via XmlOption instance and providing an
> appropriate instance of Xerces'
> SecurityManager like this:
>
> ----------------------------------------------------
> import javax.xml.parsers.SAXParser;
> import javax.xml.parsers.SAXParserFactory;
> import org.apache.xmlbeans.XmlOptions;
> import org.xml.sax.XMLReader;
> import com.sun.org.apache.xerces.internal.util.SecurityManager;
>
> ...
>
> SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
> SecurityManager securityManager = new SecurityManager(); //
> Default seems to be 64000!
> securityManager.setEntityExpansionLimit(16);
>
> saxParser.setProperty("http://apache.org/xml/properties/securi
> ty-manager",
> securityManager);
> // System.out.println("Parser: " + saxParser); final
> XMLReader xmlReader = saxParser.getXMLReader(); final
> XmlOptions xmlOptions = new
> XmlOptions().setLoadUseXMLReader(xmlReader);
> ----------------------------------------------------
>
> Using the instance of XmlOptions as parameter with
>
> VersionsDocument.Factory.parse(someReader, xmlOptions)
>
> I get this exception:
>
> ----------------------------------------------------
> org.apache.xmlbeans.XmlException: error: The parser has
> encountered more than "16" entity expansions in this
> document; this is the limit imposed by the application.
> at
> org.apache.xmlbeans.impl.store.Locale$SaxLoader.load(Locale.java:3486)
> at
> org.apache.xmlbeans.impl.store.Locale.parseToXmlObject(Locale.
> java:1329)
> at
> org.apache.xmlbeans.impl.store.Locale.parseToXmlObject(Locale.
> java:1316)
> at
> org.apache.xmlbeans.impl.schema.SchemaTypeLoaderBase.parse(Sch
> emaTypeLoaderBase.java:360)
> [...]
> ----------------------------------------------------
>
> You will find explanations regarding Xerces' SecurityManager here:
> - http://xerces.apache.org/xerces2-j/properties.html
> -
> http://xerces.apache.org/xerces2-j/javadocs/xerces2/org/apache
> /xerces/util/SecurityManager.html
>
> This way you should not be vulnerable to the XML bomb
> anymore, but unfortunately you won't get your XML parsed :-)
>
>
> Christian
>
> >> -----Original Message-----
> >> From: jimmy Zhang [mailto:jzhang@ximpleware.com]
> >> Sent: Tuesday, December 02, 2008 1:57 PM
> >> To: user@xmlbeans.apache.org
> >> Subject: Re: Question regarding suggested way to prevent XML bomb
> >>
> >> if u explcitily deprecate DTD and use schema, you will be fine...
> >> ----- Original Message -----
> >> From: "Christian Möller" <dc...@gmx.de>
> >> To: <us...@xmlbeans.apache.org>
> >> Sent: Tuesday, December 02, 2008 4:31 AM
> >> Subject: Question regarding suggested way to prevent XML bomb
> >>
> >>
> >>> Hi,
> >>>
> >>> I've read the following article describing the so called
> "XML bomb":
> >>>
> >>>
> >>
> http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswe
> >> r
> >>> /0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302558&psrc=CLT_92
> >>>
> >>> Now I'm asking myself if my XMLBeans based code is
> >> vulnerable. After
> >>> writing a simple test the answer is "definetly yes",
> >> OutOfMemoryError
> >>> arises when parsing the following XML:
> >>>
> >>> <?xml version='1.0'?>
> >>> <!DOCTYPE versions [
> >>> <!ENTITY x0 'xml-entity-bomb'>
> >>> <!ENTITY x1 '&x0;&x0;&x0;&x0;'>
> >>> <!ENTITY x2 '&x1;&x1;&x1;&x1;'>
> >>> <!ENTITY x3 '&x2;&x2;&x2;&x2;'>
> >>> <!ENTITY x4 '&x3;&x3;&x3;&x3;'>
> >>> <!ENTITY x5 '&x4;&x4;&x4;&x4;'>
> >>> <!ENTITY x6 '&x5;&x5;&x5;&x5;'>
> >>> <!ENTITY x7 '&x6;&x6;&x6;&x6;'>
> >>> <!ENTITY x8 '&x7;&x7;&x7;&x7;'>
> >>> <!ENTITY x9 '&x8;&x8;&x8;&x8;'>
> >>> <!ENTITY x10 '&x9;&x9;&x9;&x9;'>
> >>> ]>
> >>> <versions xmlns='urn:ietf:params:xml:ns:iris-transport'>
> >>> <transferProtocol protocolId='iris.lwz1'>
> >>> <application protocolId='urn:ietf:params:xml:ns:iris1'>
> >>> <dataModel protocolId='&x10;' />
> >>> </application>
> >>> </transferProtocol>
> >>> </versions>
> >>>
> >>> The next question is how to prevent it. Any recommendations?
> >>>
> >>> Thanks and regards
> >>>
> >>> Christian
> >>>
> >>>
> >>> PS: I've also read the XMLBeans Javadoc stating "By
> >> default, XmlBeans
> >>> does not resolve entities when parsing xml documents (unless an
> >>> explicit entity resolver is specified)."
> >>>
> >>>
> >>
> http://xmlbeans.apache.org/docs/2.4.0/reference/org/apache/xmlbeans/X
> >> m
> >>> lOptions.html#setLoadUseDefaultResolver()
> >>>
> >>> I do not have set any kind of entity resolver, so this seems to
> >>> contradict my experiences ... what's going wrong here?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@xmlbeans.apache.org
> For additional commands, e-mail: user-help@xmlbeans.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@xmlbeans.apache.org
For additional commands, e-mail: user-help@xmlbeans.apache.org
Re: Question regarding suggested way to prevent XML bomb
Posted by Christian Möller <dc...@gmx.de>.
Radu Preotiuc-Pietro schrieb:
> Yes, the question is how to disable DTDs. I have looked a bit through Piccolo's source code and haven't found a way. If anyone knows of how to do it for a particular parser and could post the info, that would be great. Then, Christian, you can use that particular parser with XMLBeans and you will be fine.
Hi Radu,
I've found a kind of solution by setting a XMLReader explicitely via
XmlOption instance and providing an appropriate instance of Xerces'
SecurityManager like this:
----------------------------------------------------
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.apache.xmlbeans.XmlOptions;
import org.xml.sax.XMLReader;
import com.sun.org.apache.xerces.internal.util.SecurityManager;
...
SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
SecurityManager securityManager = new SecurityManager();
// Default seems to be 64000!
securityManager.setEntityExpansionLimit(16);
saxParser.setProperty("http://apache.org/xml/properties/security-manager",
securityManager);
// System.out.println("Parser: " + saxParser);
final XMLReader xmlReader = saxParser.getXMLReader();
final XmlOptions xmlOptions = new
XmlOptions().setLoadUseXMLReader(xmlReader);
----------------------------------------------------
Using the instance of XmlOptions as parameter with
VersionsDocument.Factory.parse(someReader, xmlOptions)
I get this exception:
----------------------------------------------------
org.apache.xmlbeans.XmlException: error: The parser has encountered more
than "16" entity expansions in this document; this is the limit imposed
by the application.
at org.apache.xmlbeans.impl.store.Locale$SaxLoader.load(Locale.java:3486)
at org.apache.xmlbeans.impl.store.Locale.parseToXmlObject(Locale.java:1329)
at org.apache.xmlbeans.impl.store.Locale.parseToXmlObject(Locale.java:1316)
at
org.apache.xmlbeans.impl.schema.SchemaTypeLoaderBase.parse(SchemaTypeLoaderBase.java:360)
[...]
----------------------------------------------------
You will find explanations regarding Xerces' SecurityManager here:
- http://xerces.apache.org/xerces2-j/properties.html
-
http://xerces.apache.org/xerces2-j/javadocs/xerces2/org/apache/xerces/util/SecurityManager.html
This way you should not be vulnerable to the XML bomb anymore, but
unfortunately you won't get your XML parsed :-)
Christian
>> -----Original Message-----
>> From: jimmy Zhang [mailto:jzhang@ximpleware.com]
>> Sent: Tuesday, December 02, 2008 1:57 PM
>> To: user@xmlbeans.apache.org
>> Subject: Re: Question regarding suggested way to prevent XML bomb
>>
>> if u explcitily deprecate DTD and use schema, you will be fine...
>> ----- Original Message -----
>> From: "Christian Möller" <dc...@gmx.de>
>> To: <us...@xmlbeans.apache.org>
>> Sent: Tuesday, December 02, 2008 4:31 AM
>> Subject: Question regarding suggested way to prevent XML bomb
>>
>>
>>> Hi,
>>>
>>> I've read the following article describing the so called "XML bomb":
>>>
>>>
>> http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer
>>> /0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302558&psrc=CLT_92
>>>
>>> Now I'm asking myself if my XMLBeans based code is
>> vulnerable. After
>>> writing a simple test the answer is "definetly yes",
>> OutOfMemoryError
>>> arises when parsing the following XML:
>>>
>>> <?xml version='1.0'?>
>>> <!DOCTYPE versions [
>>> <!ENTITY x0 'xml-entity-bomb'>
>>> <!ENTITY x1 '&x0;&x0;&x0;&x0;'>
>>> <!ENTITY x2 '&x1;&x1;&x1;&x1;'>
>>> <!ENTITY x3 '&x2;&x2;&x2;&x2;'>
>>> <!ENTITY x4 '&x3;&x3;&x3;&x3;'>
>>> <!ENTITY x5 '&x4;&x4;&x4;&x4;'>
>>> <!ENTITY x6 '&x5;&x5;&x5;&x5;'>
>>> <!ENTITY x7 '&x6;&x6;&x6;&x6;'>
>>> <!ENTITY x8 '&x7;&x7;&x7;&x7;'>
>>> <!ENTITY x9 '&x8;&x8;&x8;&x8;'>
>>> <!ENTITY x10 '&x9;&x9;&x9;&x9;'>
>>> ]>
>>> <versions xmlns='urn:ietf:params:xml:ns:iris-transport'>
>>> <transferProtocol protocolId='iris.lwz1'>
>>> <application protocolId='urn:ietf:params:xml:ns:iris1'>
>>> <dataModel protocolId='&x10;' />
>>> </application>
>>> </transferProtocol>
>>> </versions>
>>>
>>> The next question is how to prevent it. Any recommendations?
>>>
>>> Thanks and regards
>>>
>>> Christian
>>>
>>>
>>> PS: I've also read the XMLBeans Javadoc stating "By
>> default, XmlBeans
>>> does not resolve entities when parsing xml documents (unless an
>>> explicit entity resolver is specified)."
>>>
>>>
>> http://xmlbeans.apache.org/docs/2.4.0/reference/org/apache/xmlbeans/Xm
>>> lOptions.html#setLoadUseDefaultResolver()
>>>
>>> I do not have set any kind of entity resolver, so this seems to
>>> contradict my experiences ... what's going wrong here?
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@xmlbeans.apache.org
For additional commands, e-mail: user-help@xmlbeans.apache.org
RE: Question regarding suggested way to prevent XML bomb
Posted by Radu Preotiuc-Pietro <ra...@oracle.com>.
Yes, the question is how to disable DTDs. I have looked a bit through Piccolo's source code and haven't found a way. If anyone knows of how to do it for a particular parser and could post the info, that would be great. Then, Christian, you can use that particular parser with XMLBeans and you will be fine.
To answer your JavaDoc question, it is a little bit confusing but that sentence doesn't refer to "XML entities" but "entities in the sense of EntityResolver" meaning documents accesible by source/public id (such as external DTDs for example). Those are indeed disabled by default, but this is not relevant for your concern (it is relevant if you are worried about someone inserting something in a message sent to you that makes your server ping his/her server while processing the message).
Radu
> -----Original Message-----
> From: jimmy Zhang [mailto:jzhang@ximpleware.com]
> Sent: Tuesday, December 02, 2008 1:57 PM
> To: user@xmlbeans.apache.org
> Subject: Re: Question regarding suggested way to prevent XML bomb
>
> if u explcitily deprecate DTD and use schema, you will be fine...
> ----- Original Message -----
> From: "Christian Möller" <dc...@gmx.de>
> To: <us...@xmlbeans.apache.org>
> Sent: Tuesday, December 02, 2008 4:31 AM
> Subject: Question regarding suggested way to prevent XML bomb
>
>
> > Hi,
> >
> > I've read the following article describing the so called "XML bomb":
> >
> >
> http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer
> > /0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302558&psrc=CLT_92
> >
> > Now I'm asking myself if my XMLBeans based code is
> vulnerable. After
> > writing a simple test the answer is "definetly yes",
> OutOfMemoryError
> > arises when parsing the following XML:
> >
> > <?xml version='1.0'?>
> > <!DOCTYPE versions [
> > <!ENTITY x0 'xml-entity-bomb'>
> > <!ENTITY x1 '&x0;&x0;&x0;&x0;'>
> > <!ENTITY x2 '&x1;&x1;&x1;&x1;'>
> > <!ENTITY x3 '&x2;&x2;&x2;&x2;'>
> > <!ENTITY x4 '&x3;&x3;&x3;&x3;'>
> > <!ENTITY x5 '&x4;&x4;&x4;&x4;'>
> > <!ENTITY x6 '&x5;&x5;&x5;&x5;'>
> > <!ENTITY x7 '&x6;&x6;&x6;&x6;'>
> > <!ENTITY x8 '&x7;&x7;&x7;&x7;'>
> > <!ENTITY x9 '&x8;&x8;&x8;&x8;'>
> > <!ENTITY x10 '&x9;&x9;&x9;&x9;'>
> > ]>
> > <versions xmlns='urn:ietf:params:xml:ns:iris-transport'>
> > <transferProtocol protocolId='iris.lwz1'>
> > <application protocolId='urn:ietf:params:xml:ns:iris1'>
> > <dataModel protocolId='&x10;' />
> > </application>
> > </transferProtocol>
> > </versions>
> >
> > The next question is how to prevent it. Any recommendations?
> >
> > Thanks and regards
> >
> > Christian
> >
> >
> > PS: I've also read the XMLBeans Javadoc stating "By
> default, XmlBeans
> > does not resolve entities when parsing xml documents (unless an
> > explicit entity resolver is specified)."
> >
> >
> http://xmlbeans.apache.org/docs/2.4.0/reference/org/apache/xmlbeans/Xm
> > lOptions.html#setLoadUseDefaultResolver()
> >
> > I do not have set any kind of entity resolver, so this seems to
> > contradict my experiences ... what's going wrong here?
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@xmlbeans.apache.org
> > For additional commands, e-mail: user-help@xmlbeans.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@xmlbeans.apache.org
> For additional commands, e-mail: user-help@xmlbeans.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@xmlbeans.apache.org
For additional commands, e-mail: user-help@xmlbeans.apache.org
Re: Question regarding suggested way to prevent XML bomb
Posted by jimmy Zhang <jz...@ximpleware.com>.
if u explcitily deprecate DTD and use schema, you will be fine...
----- Original Message -----
From: "Christian Möller" <dc...@gmx.de>
To: <us...@xmlbeans.apache.org>
Sent: Tuesday, December 02, 2008 4:31 AM
Subject: Question regarding suggested way to prevent XML bomb
> Hi,
>
> I've read the following article describing the so called "XML bomb":
>
> http://searchsoftwarequality.techtarget.com/expert/KnowledgebaseAnswer/0,289625,sid92_gci1168442,00.html?asrc=SS_CLA_302558&psrc=CLT_92
>
> Now I'm asking myself if my XMLBeans based code is vulnerable. After
> writing a simple test the answer is "definetly yes", OutOfMemoryError
> arises when parsing the following XML:
>
> <?xml version='1.0'?>
> <!DOCTYPE versions [
> <!ENTITY x0 'xml-entity-bomb'>
> <!ENTITY x1 '&x0;&x0;&x0;&x0;'>
> <!ENTITY x2 '&x1;&x1;&x1;&x1;'>
> <!ENTITY x3 '&x2;&x2;&x2;&x2;'>
> <!ENTITY x4 '&x3;&x3;&x3;&x3;'>
> <!ENTITY x5 '&x4;&x4;&x4;&x4;'>
> <!ENTITY x6 '&x5;&x5;&x5;&x5;'>
> <!ENTITY x7 '&x6;&x6;&x6;&x6;'>
> <!ENTITY x8 '&x7;&x7;&x7;&x7;'>
> <!ENTITY x9 '&x8;&x8;&x8;&x8;'>
> <!ENTITY x10 '&x9;&x9;&x9;&x9;'>
> ]>
> <versions xmlns='urn:ietf:params:xml:ns:iris-transport'>
> <transferProtocol protocolId='iris.lwz1'>
> <application protocolId='urn:ietf:params:xml:ns:iris1'>
> <dataModel protocolId='&x10;' />
> </application>
> </transferProtocol>
> </versions>
>
> The next question is how to prevent it. Any recommendations?
>
> Thanks and regards
>
> Christian
>
>
> PS: I've also read the XMLBeans Javadoc stating "By default, XmlBeans
> does not resolve entities when parsing xml documents (unless an explicit
> entity resolver is specified)."
>
> http://xmlbeans.apache.org/docs/2.4.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver()
>
> I do not have set any kind of entity resolver, so this seems to
> contradict my experiences ... what's going wrong here?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@xmlbeans.apache.org
> For additional commands, e-mail: user-help@xmlbeans.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@xmlbeans.apache.org
For additional commands, e-mail: user-help@xmlbeans.apache.org