Norio Akagi created TINKERPOP-2320:
--------------------------------------
Summary: [SECURITY] XMLInputFactory initialization in
GraphMLReader introduces
Key: TINKERPOP-2320
URL: https://issues.apache.org/jira/browse/TINKERPOP-2320
Project: TinkerPop
Issue Type: Improvement
Components: io
Affects Versions: 3.4.4
Reporter: Norio Akagi
I use TinkerPop in my company and now the security team had audits and reported
that this part in GraphML reader may introduce XXE vulnerabilities.
{{private final XMLInputFactory inputFactory = XMLInputFactory.newInstance();}}
Some document recommends to add some properties to protect it as follows:
[https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser]
So I am wondering if I can either
1. just hard-code to set these properties in the constructor of GraphMLReader
(it will break the existing behavior if users use it)
2. somehow make these properties configurable so that we can pass some flags
and depending on the flags, we initialize GraphMLReader with those properties.
Any recommendation ? I am happy to add implementation to handle it but need
some input which direction I'd take.
Thanks.
Norio
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
