Precision regarding the transformer behavior on Xalan 2.7.2: FEATURE_SECURE_PROCESSING does protect from calling extension function.
FEATURE_SECURE_PROCESSING does not protect from external entities and external stylesheets. The transformer provided by the Oracle JRE by default will block all three XML features when FEATURE_SECURE_PROCESSING is set. ________________________________ From: Philippe Arteau Sent: March 20, 2019 4:50:08 PM To: dev@xalan.apache.org Subject: FEATURE_SECURE_PROCESSING when Xalan is in the classpath Hi, I am not sure if the Xalan team is aware of this behavior. Once Xalan Java is in the classpath of a Java application, the flag FEATURE_SECURE_PROCESSING is not honored. The user plokta on GitHub reported to find-sec-bugs project this issue. He has even created a project for easy reproduction : https://github.com/plokta/transformerXXE When the security feature is ignored, it can lead to SSRF, remote file read or even remote code execution in the case of XSLT parsing. Reference to the initial report : https://github.com/find-sec-bugs/find-sec-bugs/issues/433 -- Philippe Arteau Cybersecurity Researcher GoSecure POWERED BY COUNTERTACK www.gosecure.net<http://www.gosecure.net/>
