[Geoserver-devel] [JIRA] (GEOS-10438) ENTITY_RESOLUTION_ALLOWLIST property not working

Thu, 31 Mar 2022 04:08:33 -0700 

Wouter Kobes ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=62458690f6a26900695d1762
 ) *created* an issue

GeoServer ( 
https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiNjg4ZTEyMjkzYTBhNGJjZThiMmM5YjRiM2Y5MzYyNzgiLCJwIjoiaiJ9
 ) / Bug ( 
https://osgeo-org.atlassian.net/browse/GEOS-10438?atlOrigin=eyJpIjoiNjg4ZTEyMjkzYTBhNGJjZThiMmM5YjRiM2Y5MzYyNzgiLCJwIjoiaiJ9
 ) GEOS-10438 ( 
https://osgeo-org.atlassian.net/browse/GEOS-10438?atlOrigin=eyJpIjoiNjg4ZTEyMjkzYTBhNGJjZThiMmM5YjRiM2Y5MzYyNzgiLCJwIjoiaiJ9
 ) ENTITY_RESOLUTION_ALLOWLIST property not working ( 
https://osgeo-org.atlassian.net/browse/GEOS-10438?atlOrigin=eyJpIjoiNjg4ZTEyMjkzYTBhNGJjZThiMmM5YjRiM2Y5MzYyNzgiLCJwIjoiaiJ9
 )

Issue Type: Bug Assignee: Unassigned Created: 31/Mar/22 1:07 PM Priority: 
Medium Reporter: Wouter Kobes ( 
https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=62458690f6a26900695d1762
 )

There seem to be several problems within the ENTITY_RESOLUTION_ALLOWLIST 
setting, which can be used to reduce the http/https sources that are allowed by 
the application. I have encountered two functional bugs and one security issue. 
Of the latter I will send an email with details.

The first bug is encountered here: 
https://github.com/geoserver/geoserver/blob/c4e0c506024bbf455430fad33d25e938c85952c6/src/main/src/main/java/org/geoserver/util/EntityResolverProvider.java#L124

{noformat }}  else if (!"".equals(allowed.trim()))  {{ noformat}

Should be

{noformat }}  else if ("".equals(allowed.trim()))  {{ noformat}

Otherwise the content of the entity resolution allowlist is never parsed.

The second issue is in 
https://github.com/geoserver/geoserver/blob/c4e0c506024bbf455430fad33d25e938c85952c6/src/main/src/main/java/org/geoserver/util/AllowListEntityResolver.java#L112

The getExternalSubset function is used when the allowlist is set.
This function calls resolveEntity with:

return resolveEntity(name, null, baseURI, null);

systemId is set to null. However, resolveEntity tries to parse systemId to an 
URI:

if (URI.create(systemId).isAbsolute()) {

Thus a NullPointerException is thrown, and caught in line 164. This results to 
a SAXException thrown in line 169 with message "Entity resolution disallowed 
for null" for any resolution attempt.

The security vulnerability will be reported through email, but could lead to 
bypass of the setting (if the previous two bugs are addressed)

( 
https://osgeo-org.atlassian.net/browse/GEOS-10438#add-comment?atlOrigin=eyJpIjoiNjg4ZTEyMjkzYTBhNGJjZThiMmM5YjRiM2Y5MzYyNzgiLCJwIjoiaiJ9
 ) Add Comment ( 
https://osgeo-org.atlassian.net/browse/GEOS-10438#add-comment?atlOrigin=eyJpIjoiNjg4ZTEyMjkzYTBhNGJjZThiMmM5YjRiM2Y5MzYyNzgiLCJwIjoiaiJ9
 )

Get Jira notifications on your phone! Download the Jira Cloud app for Android ( 
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail
 ) or iOS ( 
https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8
 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100197- 
sha1:666e164 )
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel














    











					Reply via email to