Hi, nextgens has stated his concerns whether the WOT XML parser is vulnerable to the "XXE" attack: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
I produced a unit test to check the XML snippet which is provided at the above wiki: https://github.com/freenet/plugin-WebOfTrust/commit/21c90c2b3c94ac90aec6a31c63c81fa66d191ad6 It succeeds (= the attack fails) because the DOCTYPE declaration is disallowed by the existing settings of the XML parser. I am not sure whether this fixes all possible version of the attack. Can someone tell me whether the attack would be possible with something else than DOCTYPE? If yes, can you provide a XML snippet so I can add it to the unit tests to check whether we're vulnerable? Also, while you're at it, please review the XML parser settings of WOT for other possible security issues: https://github.com/freenet/plugin-WebOfTrust/blob/21c90c2b3c94ac90aec6a31c63c81fa66d191ad6/src/plugins/WebOfTrust/XMLTransformer.java#L127 Possible things to review: - Maybe check the whole list of functions of DocumentBuilderFactory. - Notably, there are some constants ACCESS_EXTERNAL... which we don't use: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html Should we use them all? Or are they as well covered by DOCTYPE? And if yes to use them, use them with which setAttribute() values? Thanks for your help!
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
