Stephan Siano created CAMEL-8312:
------------------------------------
Summary: XML External Entity (XXE) injection in XPath if no type
converter for documentType
Key: CAMEL-8312
URL: https://issues.apache.org/jira/browse/CAMEL-8312
Project: Camel
Issue Type: Bug
Components: camel-core
Affects Versions: 2.14.1, 2.13.3
Reporter: Stephan Siano
If the documentType of an XPath expression is set to a class for that no type
converter exists and the data to which the expression is applied is of type
WrappedFile or String the XPath will seem to work anyway. However this setup
will make the scenario susceptible to XXE injection attacks (because the
InputSource created from the String or Generic file will be parsed by a default
parser within the XPath evaluation and the XXE will succeed.
Even worse, if the documentType is Document (the default) and the DOM parsing
fails because the document is invalid and contains an XXE injection this will
allow DOS attacks on the system.
The two unit tests contained in the patch show these two use cases (and throw a
FileNotFoundException on an unchanged XPath builder).
As a side effect the Exception in the XPathFeatureTest.testXPath changes
(because initially there are errors during type conversion and during XPath
evaluation whereas after the patch processing is stopped after the type
conversion error).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
