You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Domenico Francesco Bruscino <br...@gmail.com> on 2022/10/28 10:45:09 UTC

Re: XML External Entity Prevention

Thanks for your feedback, I'll create a PR to add a system property to
disable XML External Entity[1] leaving the default as it is.

[1]
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

On Thu, 27 Oct 2022 at 17:02, Gary Tully <gt...@apache.org> wrote:

> I recall this being reported via security@.. back in dec/2020: subject
>  - " ActiveMQ Artemis XXE in XMLUtil"
> at that time I rejected it b/c it needs access to the file system. I
> think that is still true.
> We disable those features for xpath expansion, i guess it makes sense
> to be able to disable for xml config parsing too, and a system
> property would suffice, but I would leave the default as it is.
>
> On Thu, 27 Oct 2022 at 13:04, Clebert Suconic <cl...@gmail.com>
> wrote:
> >
> > I think this is a good plan Dom.
> >
> > On Wed, Oct 26, 2022 at 6:06 PM Domenico Francesco Bruscino <
> > brusdev@apache.org> wrote:
> >
> > > An XML External Entity attack is a type of attack against an
> application
> > > that parses XML input. This attack occurs when XML input containing a
> > > reference to an external entity is processed by a weakly configured XML
> > > parser. This attack may lead to the disclosure of confidential data,
> denial
> > > of service, server side request forgery, port scanning from the
> perspective
> > > of the machine where the parser is located, and other system
> impacts[1].
> > >
> > > ActiveMQ Artemis is using xml include to support modularising
> broker.xml[2]
> > > so disabling XML External Entity[1] by default would break this
> feature.
> > >
> > > A system property could be added to enable XML External Entity[1] to
> > > mitigate this backward compatibility issue. While new users could use
> > > broker properties[3] in place of modularising broker.xml[2].
> > >
> > > Do you have any concerns?
> > >
> > > Regards,
> > > Domenico
> > >
> > > [1]
> > >
> > >
> https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
> > > [2]
> > >
> > >
> https://github.com/apache/activemq-artemis/blob/main/docs/user-manual/en/configuration-index.md#modularising-brokerxml
> > > [3]
> > >
> > >
> https://github.com/apache/activemq-artemis/blob/main/docs/user-manual/en/configuration-index.md#broker-properties
> > >
> > --
> > Clebert Suconic
>