2017-01-16 11:58 GMT+01:00 Daniel Dekany <ddek...@freemail.hu>: > Monday, January 16, 2017, 10:05:13 AM, Christoph Rüger wrote: > > [snip] > > The DocumentBuildFactory created > > in freemarker.ext.dom.NodeModel.getDocumentBuilderFactory() is currently > > setup to resolve external entities (which is default behavior). > > I believe it's pretty much necessary too. Many XML-s do need them in > reality. > > > This opens > > the door for XXE attacks (External Entity Injection): see > > http://colesec.inventedtheinternet.com/attacking-xml-with-xml- > external-entity-injection-xxe/ > > That's good to keep in mind in general, but a template author isn't > supposed to be able to provide the XML. The DOM is normally already in > the data-model before the template processing is started. So if > someone can only edit the template, can he still exploit this? > I would say no. It is not something the template author can exploit, but more the party providing the XML.
> > > Lot's of web-apps have this problem e.g. also PHP where this is enabled > by > > default too (not a php guy, but read about it). > > > > We basically chose to forbid ExternalEntities completely by extending > > NodeModel and so set some properties to the DocumentBuilderFactory as > > described here: > > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_ > Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_ > SAXParserFactory_and_DOM4J > > Note sure what you can do with extending NodeModel, because > getDocumentBuilderFactory is static. As far as I see, all we (at > FreeMarker) can do is adding a boolean disableExternalEntityResolution > parameter to that static method and to the also static NodeModel.parse > methods, and JavaDoc the dangers clearly there. A parameter *disableExternalEntityResolution* would be helpful. > I'm not aware of > FreeMarker itself loading XML automatically (it doesn't call these > static methods from inside), it only works with the DOM provided > (which then already contains the external entities resolved). > You can pass a File to *NodeModel.parse(File f)* which is at this point not parsed yet. The parsing happens later using the DocumentBuilderFactory created by *NodeModel.getDocumentBuilderFactory(). *This is when also the external entities are resolved and DOM is created. So it would be good, if this could be customized (either by passing parameters or some other mechanism). I guess we had to do some "hacky" customizing of NodeModel in order to be able to use our own instance of DocumentBuilderFactory used by NodeModel. > > >> >> > 2017-01-12 23:58 GMT+01:00 Daniel Dekany <ddek...@freemail.hu>: > >> >> > I have collected some further easy changes for FM3... Any comments? > >> >> > > >> >> > - Drop FTL classic compatible mode option (Roughly emulates FM1 > >> >> > behavior at null-s and at some type handling issues) > >> >> > > >> >> > - Drop FTL non-strict syntax option (FM1 syntax - that's where you > >> >> > could write <if x> instead of <#if x>). > >> >> > > >> >> > - Drop all the "public static void main(String[] args)" methods > >> >> (security concern) > >> >> > > >> >> > - Drop freemarker.log. That's a simple log adapter facility from > the > >> >> > ancient times of Java, kind of like commons-logging or slf4j. I > >> >> > would instead introduce slf4j-api as a required dependency. > >> >> > > >> >> > - Drop legacy XML wrapper (freemarker.ext.xml, not to be confused > with > >> >> > freemarker.ext.dom) > >> >> > > >> >> > - Drop ant task (freemarker.ext.ant) > >> >> > > >> >> > -- > >> >> > Thanks, > >> >> > Daniel Dekany > >> >> > > >> >> > > >> >> > > >> >> > > >> >> > >> >> -- > >> >> Thanks, > >> >> Daniel Dekany > >> >> > >> >> > >> > > >> > > >> > -- > >> > Christoph Rüger, Geschäftsführer > >> > Synesty <https://synesty.com/> - Automatisierung, Schnittstellen, > >> Datenfeeds > >> > Tel.: +49 3641/559649 > >> > > >> > Xing: https://www.xing.com/profile/Christoph_Rueger2 > >> > LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198 > >> > > >> > >> -- > >> Thanks, > >> Daniel Dekany > >> > >> > > > > > > -- > > Christoph Rüger, Geschäftsführer > > Synesty <https://synesty.com/> - Automatisierung, Schnittstellen, > Datenfeeds > > Tel.: +49 3641/559649 <+49%203641%20559649> > > > > Xing: https://www.xing.com/profile/Christoph_Rueger2 > > LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198 > > > > -- > Thanks, > Daniel Dekany > > -- Christoph Rüger, Geschäftsführer Synesty <https://synesty.com/> - Automatisierung, Schnittstellen, Datenfeeds Tel.: +49 3641/559649 Xing: https://www.xing.com/profile/Christoph_Rueger2 LinkedIn: http://www.linkedin.com/pub/christoph-rueger/a/685/198 -- Synesty GmbH Moritz-von-Rohr-Str. 1a 07745 Jena Tel.: +49 3641 559649 Fax.: +49 3641 5596499 Internet: http://synesty.com Geschäftsführer: Christoph Rüger Unternehmenssitz: Jena Handelsregister B beim Amtsgericht: Jena Handelsregister-Nummer: HRB 508766 Ust-IdNr.: DE287564982
