[jira] [Commented] (OOZIE-2489) XML parsing is vulnerable

Hadoop QA (JIRA) Mon, 28 Mar 2016 16:55:14 -0700

    [ 
https://issues.apache.org/jira/browse/OOZIE-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15215112#comment-15215112
 ]


Hadoop QA commented on OOZIE-2489:
----------------------------------

Testing JIRA OOZIE-2489

Cleaning local git workspace

----------------------------

{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
.    {color:green}+1{color} the patch does not introduce any @author tags
.    {color:green}+1{color} the patch does not introduce any tabs
.    {color:green}+1{color} the patch does not introduce any trailing spaces
.    {color:green}+1{color} the patch does not introduce any line longer than 
132
.    {color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
.    {color:green}+1{color} the patch does not seem to introduce new RAT 
warnings
{color:green}+1 JAVADOC{color}
.    {color:green}+1{color} the patch does not seem to introduce new Javadoc 
warnings
{color:green}+1 COMPILE{color}
.    {color:green}+1{color} HEAD compiles
.    {color:green}+1{color} patch compiles
.    {color:green}+1{color} the patch does not seem to introduce new javac 
warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.    {color:green}+1{color} the patch does not change any JPA 
Entity/Colum/Basic/Lob/Transient annotations
.    {color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color}
.    Tests run: 1768
.    Tests failed: 30
.    Tests errors: 13

.    The patch failed the following testcases:

.      testSubmitPig(org.apache.oozie.client.TestOozieCLI)
.      testSubmitMapReduce(org.apache.oozie.client.TestOozieCLI)
.      testSubmitMapReduce2(org.apache.oozie.client.TestOozieCLI)
.      testSubmitDoAs(org.apache.oozie.client.TestOozieCLI)
.      testSubmitWithPropertyArguments(org.apache.oozie.client.TestOozieCLI)
.      testRunWithDebug(org.apache.oozie.client.TestOozieCLI)
.      testPropertiesWithTrailingSpaces(org.apache.oozie.client.TestOozieCLI)
.      testJobDryrun(org.apache.oozie.client.TestOozieCLI)
.      testUpdateWithDryrun(org.apache.oozie.client.TestOozieCLI)
.      testSubmit(org.apache.oozie.client.TestOozieCLI)
.      testReRun(org.apache.oozie.client.TestOozieCLI)
.      testUpdate(org.apache.oozie.client.TestOozieCLI)
.      testRun(org.apache.oozie.client.TestOozieCLI)
.      
testCoordRerunCleanup(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunRefresh(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunCleanupOption(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunCleanupNoOutputEvents(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunCleanupForHCat(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunActions1(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunActions2(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunActions3(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunActionsNeg1(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunActionsNeg2(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunDate1(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunDate2(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunDate3(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunDate4(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunDateNeg(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunKilledCoord(org.apache.oozie.command.coord.TestCoordRerunXCommand)
.      
testCoordRerunFailedCoordAction(org.apache.oozie.command.coord.TestCoordRerunXCommand)

{color:green}+1 DISTRO{color}
.    {color:green}+1{color} distro tarball builds with the patch 

----------------------------
{color:red}*-1 Overall result, please check the reported -1(s)*{color}


The full output of the test-patch run is available at

.   https://builds.apache.org/job/oozie-trunk-precommit-build/2789/

> XML parsing is vulnerable
> -------------------------
>
>                 Key: OOZIE-2489
>                 URL: https://issues.apache.org/jira/browse/OOZIE-2489
>             Project: Oozie
>          Issue Type: Bug
>    Affects Versions: 4.1.0
>            Reporter: Ferenc Denes
>            Assignee: Ferenc Denes
>              Labels: security, xml
>             Fix For: trunk
>
>         Attachments: OOZIE-2489-1.patch, OOZIE-2489-2.patch
>
>
> The XML parsing has some security problems:
> XML External Entity attack:
> XML External Entities attacks benefit from an XML feature to build documents 
> dynamically at the time of processing. An XML entity allows inclusion of data 
> dynamically from a given resource. External entities allow an XML document to 
> include data from an external URI. Unless configured to do otherwise, 
> external entities force the XML parser to access the resource specified by 
> the URI, e.g., a file on the local machine or on a remote system. This 
> behavior exposes the application to XML External Entity (XXE) attacks, which 
> can be used to perform denial of service of the local system, gain 
> unauthorized access to files on the local machine, scan remote machines, and 
> perform denial of service of remote systems.
> The following XML document shows an example of an XXE attack.
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE foo [
> <!ELEMENT foo ANY >
> <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> This example could crash the server (on a UNIX system), if the XML parser 
> attempts to substitute the entity with the contents of the /dev/random file.
> XML Entity Expansion injection also known as XML Bombs are DoS attacks that 
> benefit from valid and well-formed XML blocks that expand exponentially until 
> they exhaust the server allocated resources. XML allows to define custom 
> entities which act as string substitution macros. By nesting recurrent entity 
> resolutions, an attacker can easily crash the server resources.
> The following XML document shows an example of an XML Bomb.
> <?xml version="1.0"?>
> <!DOCTYPE lolz [
> <!ENTITY lol "lol">
> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
> ]>
> <lolz>&lol9;</lolz>
> Both problems can be solved by setting features and parameters of the XML 
> parser factories.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (OOZIE-2489) XML parsing is vulnerable

Reply via email to