Thank you very much, Christian!
> I am using the internal parser with the DTD option set to false, but
this is still vulnerable to the one billion laughs attack.
Thanks for the hint. I have improved the entity expansion checks in
our internal XML parser [1].
In BaseX 11.5, the billion laughs
[https://gist.github.com/mgeeky/4f726d3b374f0a34267d4f19c9004870] ran
for a long time, and gave me "java.lang.ArrayIndexOutOfBoundsException:
Maximum array size reached."
The latest release says: "Entities: expansion limit exceeded or
recursive definitions found."
No more billion laughs!
I was working on an extra option to set
`XMLConstants.FEATURE_SECURE_PROCESSING` to `true`, because I used that
in the project that I am rewriting.
This option is used to "set limits on XML constructs to avoid conditions
such as denial of service attacks." With your recent changes, I think
this is no longer needed.
If you find an example that will not be caught by our (very simple)
heuristics, feel free to share it with us.
I am still testing, and will let you know if I find anything.
I agree with Eliot that it can be hazardous to process arbitrary
external contents (you are probably aware of that, too). Good
firewall/proxy settings may be able to tackle some of the issues that
will not be handled during XML parsing.
Unfortunately, I have little influence on the firewall/proxy in the
production environment, so I try to handle everything in BaseX or my
docker image.
Kind regards,
Nico
