[
https://issues.apache.org/jira/browse/CALCITE-7601?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ASF GitHub Bot updated CALCITE-7601:
------------------------------------
Labels: pull-request-available (was: )
> harden ST_GeomFromGML against external entity expansion
> -------------------------------------------------------
>
> Key: CALCITE-7601
> URL: https://issues.apache.org/jira/browse/CALCITE-7601
> Project: Calcite
> Issue Type: Bug
> Reporter: Alhuda Khan
> Priority: Major
> Labels: pull-request-available
>
> ## Jira Link A Jira can be filed for this if preferred; raising the patch
> first since the change is small and self-contained. ## Changes Proposed
> `Repro:` `SELECT ST_GeomFromGML(g)` where `g` is a GML string carrying a
> DOCTYPE with an external entity, e.g. `<!DOCTYPE x [ <!ENTITY e SYSTEM
> "file:///etc/passwd"> ]>` referenced from
> `<gml:coordinates>&e;,0</gml:coordinates>`. `Expected:` the entity is not
> resolved. `Actual:` `fromGml` builds a JTS `GMLReader`, whose internal
> `SAXParserFactory` leaves DOCTYPE and external general/parameter entities
> enabled, so the parser fetches the entity target and inlines it into the
> geometry. That is local file read / SSRF (XXE) from row data, since the GML
> argument crosses the trust boundary at the `ST_GeomFromGML` SQL function.
> `Fix:` parse with a `SAXParser` configured with `disallow-doctype-decl` and
> external entities off, feeding JTS's own `GMLHandler`. Same hardening already
> used in `XmlFunctions` and `DiffRepository`. `Test:` `SpatialTypeUtilsTest`
> gets a regression that points an external entity at a temp file holding a
> valid coordinate, so an unguarded parser would return `POINT (7 8)` while the
> guarded one rejects the document.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
