[
https://issues.apache.org/jira/browse/CAMEL-8312?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Claus Ibsen resolved CAMEL-8312.
--------------------------------
Resolution: Fixed
Fix Version/s: 2.14.3
2.13.4
> XML External Entity (XXE) injection in XPath
> --------------------------------------------
>
> Key: CAMEL-8312
> URL: https://issues.apache.org/jira/browse/CAMEL-8312
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Affects Versions: 2.13.3, 2.14.1
> Reporter: Stephan Siano
> Assignee: Claus Ibsen
> Fix For: 2.13.4, 2.14.3, 2.15.0
>
> Attachments:
> 0001-CAMEL-8312-XXE-vulnerability-in-XPath-evaluator.patch
>
>
> If the documentType of an XPath expression is set to a class for that no type
> converter exists and the data to which the expression is applied is of type
> WrappedFile or String the XPath will seem to work anyway. However this setup
> will make the scenario susceptible to XXE injection attacks (because the
> InputSource created from the String or Generic file will be parsed by a
> default parser within the XPath evaluation and the XXE will succeed.
> Even worse, if the documentType is Document (the default) and the DOM parsing
> fails because the document is invalid and contains an XXE injection this will
> allow DOS attacks on the system.
> The two unit tests contained in the patch show these two use cases (and throw
> a FileNotFoundException on an unchanged XPath builder).
> As a side effect the Exception in the XPathFeatureTest.testXPath changes
> (because initially there are errors during type conversion and during XPath
> evaluation whereas after the patch processing is stopped after the type
> conversion error).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
