All,
Tomcat parses XML documents in a handful of places for example:
1. Main config files (server.xml, web.xml, context.xml)
2. JSPs
3. JSP tag-library descriptors (TLDs)
4. WebDAV requests
5. Directory-index XSL transforms
In most of these cases, the XML parser is put into a "safe"
configuration by disabling some of the more vulnerability-prone features
of XML parsers such as external-entity expansion.
But nowhere in the Tomcat code base do we ever set the
FEATURE_SECURE_PROCESSING "feature" specifically to TRUE.
This isn't exactly a problem because the other configuration that we
have in-place should cover everything necessary to prevent abuse.
But I'm wondering if we should enable SECURE_PROCESSING in some, or all
of these contexts by default, but allow administrators to disable such
protections if they require some of those features (e.g.
entity-expansion in server.xml).
I'm thinking of this from a secure-by-default perspective. Most
administrators do not need any of these semi-dangerous XML features, so
I think we should disable them by default.
I also think we might be able to remove some code and rely on the
built-in capabilities of XML processors to protect users.
For example, here is the code from the WebDAV servlet for creating a DOM
parser:
documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder = documentBuilderFactory.newDocumentBuilder();
documentBuilder.setEntityResolver(new
WebdavResolver(this.getServletContext()));
The WebdavResolver code looks like this:
public InputSource resolveEntity(String publicId, String systemId) {
context.log(sm.getString("webdavservlet.externalEntityIgnored",
publicId, systemId));
return new InputSource(new StringReader("Ignored external
entity"));
}
I believe this class can be replaced with this configuration:
documentBuilderFactory.setXIncludeAware(false);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
false);
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);
documentBuilderFactory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING,
true);
The above basically enables every security feature available for XML
parsing as well as disabling all of the sharp edges of XML parsing. I
think we can get rid of our hand-written EntityResolvers if we enable
these security features.
Java 8 and later set FEATURE_SECURE_PROCESSING to true by default, but
this only limits the extent to which resources can be consumed; it only
mitigates resource-exhaustion attacks and does not protect against
data-exfiltration, etc. Also, such "secure processing" is /not/ enabled
for XPath and XSLT. We don't use XPath and we have only one place we use
XSLT.
I'm wondering if there is a good way to enable many or all of these
secure-parsing features for all of the places in Tomcat where XML is
parsed, while also allowing administrators to remove those protections
for the rare cases when they are necessary.
It would be very easy to use a system property (or series of them) to
enable protections for all cases, but that doesn't allow the flexibility
to reduce the protections on only one parser (e.g. server.xml) while
leaving the others in-place.
We could define a suite of system properties such as
FQCN.xml-feature-foo=true|false to override each one of them.
On the other hand, we've been trying to get away from using system
properties to configure things since it affects the whole JVM and not a
specific application or instance of Tomcat (if Tomcat is being used in a
rare embedded way with multiple server instances for example).
Or are there maybe cases where these protections should NEVER be
reduced? I'm think about the WebDAV servlet as a good example: there is
never a good reason to allow remote-client-provided XML to be parsed in
a potentially dangerous way. Maybe in those cases, we just enable all of
the protections and don't give administrators any choices.
Am I wasting my time thinking about this? Each place in the Tomcat code
does things a little bit differently. If nothing else, perhaps a review
of what we do in each place would make sense and at least a minimum
level of uniformity could be brought to each use of XML parsing in
Tomcat's code.
WDYT?
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
