sahvx655-wq created FELIX-6840:
----------------------------------

             Summary: Harden XML parsers against XML External Entity (XXE) 
injection
                 Key: FELIX-6840
                 URL: https://issues.apache.org/jira/browse/FELIX-6840
             Project: Felix
          Issue Type: Bug
          Components: Bundle Repository (OBR), Declarative Services (SCR), iPOJO
            Reporter: sahvx655-wq


Several Apache Felix components process XML files such as OSGi component 
descriptors, bundle repository metadata, iPOJO metadata, and build-time plugin 
descriptors.

Some of the XML parsers used in these components are not explicitly configured 
to disable DTD processing and external entity resolution. If specially crafted 
XML from an untrusted source is processed, it could potentially lead to XML 
External Entity (XXE) attacks or XML bomb (Billion Laughs) denial-of-service 
attacks.

Harden XML parsing across the affected Apache Felix components by configuring 
XML parsers to:
 * Disable DTD processing.
 * Disable external entity resolution.
 * Disable loading of external DTDs.
 * Disable XInclude processing where applicable.

This change improves security by preventing XML parsers from processing 
external entities and other XML features that are commonly abused in XXE 
attacks.
h3. Affected Components
 * Declarative Services (SCR)
 * iPOJO Manipulator
 * Bundle Repository
 * Utils Repository
 * OSGi Check Maven Plugin

XML files containing external entities, DOCTYPE declarations, or similar XXE 
payloads should be safely rejected, while existing valid OSGi descriptors 
continue to work normally.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to