Hey mate, For security issues it is good to try and contact project leadership and seek a responsible disclosure policy.
For GeoTools we have a bi-weekly meeting (video chat) if you wish to look at options with the team. A reminder is sent to the email list beforehand. -- Jody Garnett On Fri, 26 Feb 2021 at 07:59, Thorsten Lange <thorsten.la...@xarvio.com> wrote: > Hi all, > > while working with org.geotools.wfs.GML, we have found that an application > using this utility class to decode XML files might open itself up to an XML > external entity (XXE) vulnerability. > > Is it possible to control the underlying XML parser in some way to disable > external entity and DTD processing to close this vulnerability? > > The way it currently works it would seem to me that org.geotools.wfs.GML > should rather not be used in applications that accept data from 3rd > parties. Since GML in turn uses org.geotools.xsd.Parser, I believe that > more such vulnerabilities may exist in geotools. > > If you are interested in the specifics, I can provide an example file and > a small test class to demonstrate the vulnerability against gt-xsd-wfs > 24.2, which I did not want to post on a public mailing list yet. > > You can find general information on XXE vulnerabilities at > https://owasp.org/www-project-top-ten/2017/A4_2017-XML_External_Entities_(XXE) > > Kind regards, > Thorsten > > > > _______________________________________________ > GeoTools-Devel mailing list > GeoTools-Devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geotools-devel >
_______________________________________________ GeoTools-Devel mailing list GeoTools-Devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geotools-devel
