Monday, January 16, 2017, 10:05:13 AM, Christoph Rüger wrote: [snip] > The DocumentBuildFactory created > in freemarker.ext.dom.NodeModel.getDocumentBuilderFactory() is currently > setup to resolve external entities (which is default behavior).
I believe it's pretty much necessary too. Many XML-s do need them in reality. > This opens > the door for XXE attacks (External Entity Injection): see > http://colesec.inventedtheinternet.com/attacking-xml-with-xml-external-entity-injection-xxe/ That's good to keep in mind in general, but a template author isn't supposed to be able to provide the XML. The DOM is normally already in the data-model before the template processing is started. So if someone can only edit the template, can he still exploit this? > Lot's of web-apps have this problem e.g. also PHP where this is enabled by > default too (not a php guy, but read about it). > > We basically chose to forbid ExternalEntities completely by extending > NodeModel and so set some properties to the DocumentBuilderFactory as > described here: > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J Note sure what you can do with extending NodeModel, because getDocumentBuilderFactory is static. As far as I see, all we (at FreeMarker) can do is adding a boolean disableExternalEntityResolution parameter to that static method and to the also static NodeModel.parse methods, and JavaDoc the dangers clearly there. I'm not aware of FreeMarker itself loading XML automatically (it doesn't call these static methods from inside), it only works with the DOM provided (which then already contains the external entities resolved). >> >> > 2017-01-12 23:58 GMT+01:00 Daniel Dekany <[email protected]>: >> >> > I have collected some further easy changes for FM3... Any comments? >> >> > >> >> > - Drop FTL classic compatible mode option (Roughly emulates FM1 >> >> > behavior at null-s and at some type handling issues) >> >> > >> >> > - Drop FTL non-strict syntax option (FM1 syntax - that's where you >> >> > could write <if x> instead of <#if x>). >> >> > >> >> > - Drop all the "public static void main(String[] args)" methods >> >> (security concern) >> >> > >> >> > - Drop freemarker.log. That's a simple log adapter facility from the >> >> > ancient times of Java, kind of like commons-logging or slf4j. I >> >> > would instead introduce slf4j-api as a required dependency. >> >> > >> >> > - Drop legacy XML wrapper (freemarker.ext.xml, not to be confused with >> >> > freemarker.ext.dom) >> >> > >> >> > - Drop ant task (freemarker.ext.ant) >> >> > >> >> > -- >> >> > Thanks, >> >> > Daniel Dekany >> >> > >> >> > >> >> > >> >> > >> >> >> >> -- >> >> Thanks, >> >> Daniel Dekany >> >> >> >> >> > >> > >> > -- >> > Christoph Rüger, Geschäftsführer >> > Synesty <https://synesty.com/> - Automatisierung, Schnittstellen, >> Datenfeeds >> > Tel.: +49 3641/559649 >> > >> > Xing: https://www.xing.com/profile/Christoph_Rueger2 >> > LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198 >> > >> >> -- >> Thanks, >> Daniel Dekany >> >> > > > -- > Christoph Rüger, Geschäftsführer > Synesty <https://synesty.com/> - Automatisierung, Schnittstellen, Datenfeeds > Tel.: +49 3641/559649 <+49%203641%20559649> > > Xing: https://www.xing.com/profile/Christoph_Rueger2 > LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198 > -- Thanks, Daniel Dekany
