[
https://issues.apache.org/jira/browse/BATIK-1189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16413875#comment-16413875
]
Andrea Aime edited comment on BATIK-1189 at 3/26/18 1:59 PM:
-------------------------------------------------------------
I found this one after attempting an update from 1.7 to 1.9.1, in GeoTools we
were already overriding resolveEntity in SAXSVGDocumentFactory, but now it's no
more being called and our XEE injection tests do not pass anymore.
Unfortunately they are not a straight Batik usage without other dependencies,
but I guess you can have a look as a starting point for writing a test:
* The test:
[https://github.com/geotools/geotools/blob/master/modules/plugin/svg/src/test/java/org/geotools/renderer/style/SVGGraphicFactoryTest.java#L84]
* The anonymous object with the resolveEntity override:
[https://github.com/geotools/geotools/blob/master/modules/plugin/svg/src/main/java/org/geotools/renderer/style/SVGGraphicFactory.java#L151]
was (Author: aaime):
I found this one after attempting an update from 1.7 to 1.9.1, in GeoTools we
were already overriding resolveEntity in SAXSVGDocumentFactory, but now it's no
more being called and our XeE injection tests do not pass anymore.
Unfortunately they are not a straight Batik usage without other dependencies,
but I guess you can have a look as a starting point for writing a test:
* The test:
[https://github.com/geotools/geotools/blob/master/modules/plugin/svg/src/test/java/org/geotools/renderer/style/SVGGraphicFactoryTest.java#L84]
* The anonymous object with the resolveEntity override:
[https://github.com/geotools/geotools/blob/master/modules/plugin/svg/src/main/java/org/geotools/renderer/style/SVGGraphicFactory.java#L151]
> XML External Entity Injection
> -----------------------------
>
> Key: BATIK-1189
> URL: https://issues.apache.org/jira/browse/BATIK-1189
> Project: Batik
> Issue Type: Bug
> Affects Versions: 1.9
> Reporter: Donald Kwakkel
> Priority: Critical
>
> XML parser/transformers does not prevent nor limit external entities
> resolution. This can expose the parser to an XML External Entities attack.
> Following places:
> # ImageIODebugUtil.dumpNode (TransformerFactory)
> # NodePickerPanel.parseXml (DocumentBuilderFactory)
> # SAXSVGDocumentFactory.resolveEntity (line 374 returns null, which fallbacks
> to default resolver)
> #XMLInputHandler.handle (both Transormer and Document Factory)
> For DocumentBuilderFactory you probably need to set:
> {code}
>
> factory.setFeature("http://xml.org/sax/features/external-general-entities";,
> false);
>
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
> false);
> {code}
> For TransformFactory:
> {code}
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
> {code}
> Explanation:
> XML External Entities attacks benefit from an XML feature to build documents
> dynamically at the time of processing. An XML entity allows inclusion of data
> dynamically from a given resource. External entities allow an XML document to
> include data from an external URI. Unless configured to do otherwise,
> external entities force the XML parser to access the resource specified by
> the URI, e.g., a file on the local machine or on a remote system. This
> behavior exposes the application to XML External Entity (XXE) attacks, which
> can be used to perform denial of service of the local system, gain
> unauthorized access to files on the local machine, scan remote machines, and
> perform denial of service of remote systems.
> The following XML document shows an example of an XXE attack.
> {code}
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE foo [
> <!ELEMENT foo ANY >
> <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> {code}
> This example could crash the server (on a UNIX system), if the XML parser
> attempts to substitute the entity with the contents of the /dev/random file.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-h...@xmlgraphics.apache.org
