[jira] [Commented] (TINKERPOP-2320) [SECURITY] XMLInputFactory initialization in GraphMLReader introduces

Mon, 02 Dec 2019 05:34:37 -0800 


    [ 
https://issues.apache.org/jira/browse/TINKERPOP-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16986053#comment-16986053
 ] 

Stephen Mallette commented on TINKERPOP-2320:
---------------------------------------------

Thanks for bringing this up.  Given the intended usage of the {{GraphMLReader}} 
is it reasonable to think that users are utilizing external DTDs in some way? 
I'm inclined to think that the answer is "no" and that introducing a breaking 
change here wouldn't be a big deal, but I'm really not sure. If you're not sure 
either then perhaps you could write a post to the gremlin-users list, reference 
this issue and ask what folks think. If there are no objections I'd say we just 
take the breaking change rather than introduce a gang of complexity to the 
{{GraphMLReader.Builder}} just to configure the {{XmlInputFactory}} (unless you 
can think of other common use cases that would benefit from such a thing). what 
do you think?

> [SECURITY] XMLInputFactory initialization in GraphMLReader introduces 
> ----------------------------------------------------------------------
>
>                 Key: TINKERPOP-2320
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2320
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: io
>    Affects Versions: 3.4.4
>            Reporter: Norio Akagi
>            Priority: Major
>
> I use TinkerPop in my company and now the security team had audits and 
> reported that this part in GraphML reader may introduce XXE vulnerabilities.
> {{private final XMLInputFactory inputFactory = 
> XMLInputFactory.newInstance();}}
> Some document recommends to add some properties to protect it as follows: 
> [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser]
> So I am wondering if I can either
> 1. just hard-code to set these properties in the constructor of GraphMLReader 
> (it will break the existing behavior if users use it)
> 2. somehow make these properties configurable so that we can pass some flags 
> and depending on the flags, we initialize GraphMLReader with those properties.
> Any recommendation ? I am happy to add implementation to handle it but need 
> some input which direction I'd take.
> Thanks.
> Norio



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to