Alhuda Khan created CALCITE-7601:
------------------------------------
Summary: harden ST_GeomFromGML against external entity expansion
Key: CALCITE-7601
URL: https://issues.apache.org/jira/browse/CALCITE-7601
Project: Calcite
Issue Type: Bug
Reporter: Alhuda Khan
## Jira Link A Jira can be filed for this if preferred; raising the patch first
since the change is small and self-contained. ## Changes Proposed `Repro:`
`SELECT ST_GeomFromGML(g)` where `g` is a GML string carrying a DOCTYPE with an
external entity, e.g. `<!DOCTYPE x [ <!ENTITY e SYSTEM "file:///etc/passwd">
]>` referenced from `<gml:coordinates>&e;,0</gml:coordinates>`. `Expected:` the
entity is not resolved. `Actual:` `fromGml` builds a JTS `GMLReader`, whose
internal `SAXParserFactory` leaves DOCTYPE and external general/parameter
entities enabled, so the parser fetches the entity target and inlines it into
the geometry. That is local file read / SSRF (XXE) from row data, since the GML
argument crosses the trust boundary at the `ST_GeomFromGML` SQL function.
`Fix:` parse with a `SAXParser` configured with `disallow-doctype-decl` and
external entities off, feeding JTS's own `GMLHandler`. Same hardening already
used in `XmlFunctions` and `DiffRepository`. `Test:` `SpatialTypeUtilsTest`
gets a regression that points an external entity at a temp file holding a valid
coordinate, so an unguarded parser would return `POINT (7 8)` while the guarded
one rejects the document.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
