[
https://issues.apache.org/jira/browse/TINKERPOP-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16995832#comment-16995832
]
Norio Akagi commented on TINKERPOP-2320:
----------------------------------------
Thank you for the response. I understand your opinion...but still want to give
some flexibility here:P
How about changing the code so that a provider can pass its own XmlInputFactory
when instantiating GraphMLReader ? Actually this saves our case. The idea is
here:
[https://github.com/apache/tinkerpop/pull/1230]
This won't break any existing behavior but gives us a chance to pass a
different inputFactory with configuration we need. Please let me know your
thought.
> [SECURITY] XMLInputFactory initialization in GraphMLReader introduces
> ----------------------------------------------------------------------
>
> Key: TINKERPOP-2320
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2320
> Project: TinkerPop
> Issue Type: Improvement
> Components: io
> Affects Versions: 3.4.4
> Reporter: Norio Akagi
> Priority: Major
>
> I use TinkerPop in my company and now the security team had audits and
> reported that this part in GraphML reader may introduce XXE vulnerabilities.
> {{private final XMLInputFactory inputFactory =
> XMLInputFactory.newInstance();}}
> Some document recommends to add some properties to protect it as follows:
> [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser]
> So I am wondering if I can either
> 1. just hard-code to set these properties in the constructor of GraphMLReader
> (it will break the existing behavior if users use it)
> 2. somehow make these properties configurable so that we can pass some flags
> and depending on the flags, we initialize GraphMLReader with those properties.
> Any recommendation ? I am happy to add implementation to handle it but need
> some input which direction I'd take.
> Thanks.
> Norio
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
