I really don't get this FUD around xincludes. Entity attacks are a problem if you're using XML as a transfer data format. As the article says "Since the entire XML document is communicated from an untrusted client". Ok, but the pom.xml is the heart of the source code. There plenty other things to tight up in Maven: I can include a <module>../../../nasty/pom.xml</module> no problem. What about plugins? Lets not kid ourselves - if someone gets into the repo they can do whatever. I stand to be proved wrong, but it feels like most of these "attacks" are merely theoretical, and make good chew for OWASP bad lists.
I can't remember the last time I solved a real world problem. Since I started working with Maven my biggest problem has been verbose configuration, implemented under a strict inheritance tree. For plain Maven its fine, but as soon as I start adding plugin configuration, it becomes a mess of properties and profiles. I know I could clean it up with xincludes. Delany On Wed, 17 Nov 2021 at 18:19, Maarten Mulders <[email protected]> wrote: > Gary beat me to it :-) I would be hesitant to add support for XML > Entities or XML Includes. Both have proven themselves to be a frequent > source of security issues ([1], [2] and probably a lot more). The > problem is that XML parsers typically do not allow selective includes, > so if we want to prevent anything from outside the project folder we > would probably have to code that ourselves. > > Apart from that, I feel it does not solve a real-world problem our users > are facing. If we only allow importing other files that reside in the > same repository, then those bits can just as well be in the pom.xml itself. > > > Thanks, > > Maarten > > > [1] https://en.wikipedia.org/wiki/Billion_laughs_attack > [2] https://en.wikipedia.org/wiki/XML_external_entity_attack > > On 17/11/2021 17:17, Gary Gregory wrote: > > The parsers I've seen don't "prevent" XI, you have to enable the feature; > > note that some folks don't like DTD processing and XI for security > reasons. > > > > Gary > > > > On Wed, Nov 17, 2021, 09:17 Romain Manni-Bucau <[email protected]> > > wrote: > > > >> Hi all, > >> > >> Almost everything is in the subject: any reason our pom parser prevents > to > >> use XML includes (https://www.w3.org/TR/xinclude/)? > >> > >> It would be very convenient to import some part of pom definition from > >> .mvn/ or a project folder (indeed remote/insecured imports would be > >> forbidden). > >> > >> Just a xpp3 limitation or something deeper? > >> Do we want to support it? > >> > >> Romain Manni-Bucau > >> @rmannibucau <https://twitter.com/rmannibucau> | Blog > >> <https://rmannibucau.metawerx.net/> | Old Blog > >> <http://rmannibucau.wordpress.com> | Github < > >> https://github.com/rmannibucau> | > >> LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book > >> < > >> > https://www.packtpub.com/application-development/java-ee-8-high-performance > >>> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
