Bridger, thanks a lot for the good reminder!
Bridger Dyson-Smith <bdysonsm...@gmail.com> schrieb am Mi., 14. März 2018, 21:29: > Forwarding/replying to the list, since I'm officially Bad At Email. > > On Wed, Mar 14, 2018 at 11:56 AM, Bridger Dyson-Smith < > bdysonsm...@gmail.com> wrote: > >> Hi Fabrice - >> >> On Wed, Mar 14, 2018 at 11:28 AM, Fabrice ETANCHAUD < >> fetanch...@pch.cerfrance.fr> wrote: >> >>> Hello, >>> >>> >>> >>> I found this MarkLogic post interesting, >>> >>> So I forward it to the BaseX users. >>> >>> I do not remember loading data I did not trust, but did somebody >>> experience this kind of issue ? >>> >>> >> I certainly haven't :) but clearly Christian, et al, have considered >> something similar to this. The INTPARSE[1] option let's you use an internal >> parser, instead of the standard Java parser. There are options in the >> BaseX GUI to use the INTPARSE *and* expand entities from DTDs, but I don't >> know if those switches are available in the Options. >> >>> >>> >>> Best regards, >>> >>> Fabrice Etanchaud >>> >>> >>> >> >> Hope that sheds some light on this. I tried the MarkLogic example using >> the INTPARSE (and no DTDs/entity parsing) and created a database that >> contains `<foo/>` :). >> >> And on an additional test, again using the BaseX GUI, using the default > Java Parser (both with and without the 'Parse DTDs and entities' option > selected), databases were created that expanded the entity and inserted > <foo> > <thing> > <one>ONE</one> > </thing> > </foo> > into the db. > > >> Best, >> Bridger >> >> [1] http://docs.basex.org/wiki/Options#INTPARSE >> >> So... untrusted input? INTPARSE is your friend - unless you need to > expand custom entities. > > Bridger > > >> >> >>> *De :* general-boun...@developer.marklogic.com [mailto: >>> general-boun...@developer.marklogic.com] *De la part de* Marcel de >>> Kleine >>> *Envoyé :* mercredi 14 mars 2018 13:43 >>> *À :* gene...@developer.marklogic.com >>> *Objet :* [MarkLogic Dev General] Marklogic XXE and XML Bomb prevention >>> >>> >>> >>> Hello, >>> >>> >>> >>> We have noticed Marklogic is vulnerable to xxe (entity expansion) and >>> xml bomb attacks. When loading an malicious document using >>> xdmp:document-insert it won’t catch these and cause either loading of >>> unwanted external documents (xxe) and lockup of the system (xml bomb). >>> >>> >>> >>> For example, if I load this document : >>> >>> <?xml version="1.0" encoding="ISO-8859-1"?> >>> >>> <!DOCTYPE foo [ >>> >>> <!ELEMENT foo ANY > >>> >>> <!ENTITY xxe SYSTEM "file:///c:/text.xml" >]> >>> >>> <foo>&xxe;</foo> >>> >>> >>> >>> The file test.xml gets nicely added to the xml document. >>> >>> >>> >>> See OWASP and others for examples. >>> >>> >>> >>> This is clearly a xml processing issue so the question is : can we >>> disable this? And if so, on what levels would this be possible. Best should >>> be system-wide. >>> >>> ( And if you cannot disable this, I think this is something ML should >>> address immediately. >>> >>> >>> >>> Thank you in advance, >>> >>> Marcel de Kleine, EPAM >>> >>> >>> >>> *Marcel de Kleine* >>> >>> *Senior Software Engineer* >>> >>> >>> >>> *Office: *+31 20 241 6134 *x* 30530 <+31%2020%20241%206134;ext=30530> >>> *Cell: *+31 6 14806016 <+31%206%2014806016> *Email: * >>> marcel_de_kle...@epam.com >>> >>> *Delft,* *Netherlands * *epam.com <http://www.epam.com>* >>> >>> >>> >>> CONFIDENTIALITY CAUTION AND DISCLAIMER >>> This message is intended only for the use of the individual(s) or >>> entity(ies) to which it is addressed and contains information that is >>> legally privileged and confidential. If you are not the intended recipient, >>> or the person responsible for delivering the message to the intended >>> recipient, you are hereby notified that any dissemination, distribution or >>> copying of this communication is strictly prohibited. All unintended >>> recipients are obliged to delete this message and destroy any printed >>> copies. >>> >>> >>> >> >> >
