[
https://issues.apache.org/jira/browse/OOZIE-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15223062#comment-15223062
]
Hadoop QA commented on OOZIE-2489:
----------------------------------
Testing JIRA OOZIE-2489
Cleaning local git workspace
----------------------------
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
. {color:green}+1{color} the patch does not introduce any @author tags
. {color:green}+1{color} the patch does not introduce any tabs
. {color:green}+1{color} the patch does not introduce any trailing spaces
. {color:green}+1{color} the patch does not introduce any line longer than
132
. {color:red}-1{color} the patch does not add/modify any testcase
{color:green}+1 RAT{color}
. {color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
. {color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
{color:green}+1 COMPILE{color}
. {color:green}+1{color} HEAD compiles
. {color:green}+1{color} patch compiles
. {color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
. {color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
. {color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color}
. Tests run: 1768
. Tests failed: 0
. Tests errors: 1
. The patch failed the following testcases:
.
{color:green}+1 DISTRO{color}
. {color:green}+1{color} distro tarball builds with the patch
----------------------------
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is available at
. https://builds.apache.org/job/oozie-trunk-precommit-build/2808/
> XML parsing is vulnerable
> -------------------------
>
> Key: OOZIE-2489
> URL: https://issues.apache.org/jira/browse/OOZIE-2489
> Project: Oozie
> Issue Type: Bug
> Affects Versions: 4.1.0
> Reporter: Ferenc Denes
> Assignee: Ferenc Denes
> Labels: security, xml
> Fix For: trunk
>
> Attachments: OOZIE-2489-1.patch, OOZIE-2489-2.patch,
> OOZIE-2489-3.patch
>
>
> The XML parsing has some security problems:
> XML External Entity attack:
> XML External Entities attacks benefit from an XML feature to build documents
> dynamically at the time of processing. An XML entity allows inclusion of data
> dynamically from a given resource. External entities allow an XML document to
> include data from an external URI. Unless configured to do otherwise,
> external entities force the XML parser to access the resource specified by
> the URI, e.g., a file on the local machine or on a remote system. This
> behavior exposes the application to XML External Entity (XXE) attacks, which
> can be used to perform denial of service of the local system, gain
> unauthorized access to files on the local machine, scan remote machines, and
> perform denial of service of remote systems.
> The following XML document shows an example of an XXE attack.
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE foo [
> <!ELEMENT foo ANY >
> <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> This example could crash the server (on a UNIX system), if the XML parser
> attempts to substitute the entity with the contents of the /dev/random file.
> XML Entity Expansion injection also known as XML Bombs are DoS attacks that
> benefit from valid and well-formed XML blocks that expand exponentially until
> they exhaust the server allocated resources. XML allows to define custom
> entities which act as string substitution macros. By nesting recurrent entity
> resolutions, an attacker can easily crash the server resources.
> The following XML document shows an example of an XML Bomb.
> <?xml version="1.0"?>
> <!DOCTYPE lolz [
> <!ENTITY lol "lol">
> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
> ]>
> <lolz>&lol9;</lolz>
> Both problems can be solved by setting features and parameters of the XML
> parser factories.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
