sahvx655-wq created FELIX-6840:
----------------------------------
Summary: Harden XML parsers against XML External Entity (XXE)
injection
Key: FELIX-6840
URL: https://issues.apache.org/jira/browse/FELIX-6840
Project: Felix
Issue Type: Bug
Components: Bundle Repository (OBR), Declarative Services (SCR), iPOJO
Reporter: sahvx655-wq
Several Apache Felix components process XML files such as OSGi component
descriptors, bundle repository metadata, iPOJO metadata, and build-time plugin
descriptors.
Some of the XML parsers used in these components are not explicitly configured
to disable DTD processing and external entity resolution. If specially crafted
XML from an untrusted source is processed, it could potentially lead to XML
External Entity (XXE) attacks or XML bomb (Billion Laughs) denial-of-service
attacks.
Harden XML parsing across the affected Apache Felix components by configuring
XML parsers to:
* Disable DTD processing.
* Disable external entity resolution.
* Disable loading of external DTDs.
* Disable XInclude processing where applicable.
This change improves security by preventing XML parsers from processing
external entities and other XML features that are commonly abused in XXE
attacks.
h3. Affected Components
* Declarative Services (SCR)
* iPOJO Manipulator
* Bundle Repository
* Utils Repository
* OSGi Check Maven Plugin
XML files containing external entities, DOCTYPE declarations, or similar XXE
payloads should be safely rejected, while existing valid OSGi descriptors
continue to work normally.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)