Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

SAXParserFactory doesn't disable XML entity expansion #3446

Open
jerseyrobot opened this issue Oct 7, 2016 · 7 comments · Fixed by logstash-plugins/logstash-integration-kafka#75

Comments

@jerseyrobot
Copy link
Contributor

The DocumentBuilderFactory and XmlInputFactory providers aren't vulnerable to Billion Laughs attacks (exponential entity expansion) by disabling entity expansion altogether.

But the SAXParserFactory provider is only disabling external entities, and it's possible to use the following input to generate a very high memory consumption (specially if the application using it allows parallel requests):

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE lolz [
  <!ENTITY lol "lollollollollollollol[...]">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
]>
<Quote> 
<fName>FIRST NAME &lol6;</fName> 
</Quote>

There is I actually a limit, but very high (like 100000 I think, and couldn't configure it with the entityExpansionLimit JDK property). If it doesn't work try removing the last level of recursion. Even if the depth is limited, there is no maximum for the expanded size so adding a few kilobytes to the entity text would make the attack successful.

Check disallow-doctype-decl feature in this example:
https://gist.github.com/asudhakar02/45e2e6fd8bcdfb4bc3b2

Affected Versions

[2.24]

@jerseyrobot
Copy link
Contributor Author

@glassfishrobot Commented
Reported by alepulver

@jerseyrobot
Copy link
Contributor Author

@glassfishrobot Commented
jkharness87 said:
The default appears to be 64,000 (as of JAXP 1.4):

https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html
https://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security

Setting the following system property would greatly limit the impact of the issue you raise (setting to 0 makes it unlimited, which you wouldn't want):

jdk.xml.entityExpansionLimit=1

I agree, though. It would be helpful to disable entity expansion altogether for systems that don't require it. More generally speaking, it'd be nice to offer control over all the configuration options as recommended by OWASP:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

@jerseyrobot
Copy link
Contributor Author

@glassfishrobot Commented
This issue was imported from java.net JIRA JERSEY-3174

@jerseyrobot
Copy link
Contributor Author

@kiranmn Commented
When is this issue going to be fixed?

The system property jdk.xml.entityExpansionLimit=1 does that work?

@jerseyrobot
Copy link
Contributor Author

@rwalkerands
Copy link

There is also the system property jdk.xml.totalEntitySizeLimit. It would be nice to be able to set this for incoming message bodies.

@gjoseph
Copy link

gjoseph commented Aug 6, 2020

Hi there,

For some reason, this issue has started being reported as a vulnerability by SourceClear - https://www.sourceclear.com/vulnerability-database/security/xml-entity-expansion-xee-/java/sid-3606 - with no CVE, however.

Is there a documented workaround, or possibly a patch that sets some better/safer defaults on the parser? Is PR#4472 doing that? If so, is that available in a particular Jersey release yet?

edit: it looks like it is included in 2.31 indeed.

andsel added a commit to andsel/logstash-integration-kafka that referenced this issue Mar 4, 2021
andsel added a commit to logstash-plugins/logstash-integration-kafka that referenced this issue Mar 5, 2021
Jersey version 2.31 fixes eclipse-ee4j/jersey#3446, bump it to 2.33
# for free to join this conversation on GitHub. Already have an account? # to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants