[
https://issues.apache.org/jira/browse/EAGLE-159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16347176#comment-16347176
]
Colm O hEigeartaigh commented on EAGLE-159:
-------------------------------------------
XmlHelper is no longer included in the Eagle source, so this issue could be
resolved.
> XML parser configured in org.apache.eagle.jobrunning.crawler.XmlHelper is not
> protected from Xml eXternal Entities injection attack
> -----------------------------------------------------------------------------------------------------------------------------------
>
> Key: EAGLE-159
> URL: https://issues.apache.org/jira/browse/EAGLE-159
> Project: Eagle
> Issue Type: Bug
> Reporter: Michael Wu
> Assignee: Hao Chen
> Priority: Major
>
> Scanned and found by Fortify app:
> At org.apache.eagle.jobrunning.crawler.XmlHelper:41, XML parser configured at
> this position does not prevent nor limit external entities resolution, this
> can expose the parser to an XML External Entities attack.
> >> Explanation of the issue:
> 1. XML External Entities attacks benefit from an XML feature to build
> documents dynamically at the time of processing. An XML entity allows
> inclusion of data dynamically from a given resource. External entities allow
> an XML document to include data from an external URI. Unless configured to do
> otherwise, external entities force the XML parser to access the resource
> specified by the URI, e.g., a file on the local machine or on a remote
> system. This behavior exposes the application to XML External Entity (XXE)
> attacks, which can be used to perform denial of service of the local system,
> gain unauthorized access to files on the local machine, scan remote machines,
> and perform denial of service of remote systems.
> 2. The following XML document shows an example of an XXE attack.
> *****************************
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE foo [
> <!ELEMENT foo ANY >
> <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> *****************************
> This example could crash the server (on a UNIX system), if the XML parser
> attempts to substitute the entity with the contents of the /dev/random file.
> >> Solving recommendation:
> 1. The XML unmarshaller should be configured securely so that it does not
> allow external entities as part of an incoming XML document.
> 2. To avoid XXE injection do not use unmarshal methods that process an XML
> source directly as java.io.File, java.io.Reader or java.io.InputStream. Parse
> the document with a securely configured parser and use an unmarshal method
> that takes the secure parser as the XML source as shown in the following
> example:
> **********************
> // suppose we've got Unmarshaller instance referenced by unmarshaller
> DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
> dbf.setExpandEntityReferences(false);
> DocumentBuilder db = dbf.newDocumentBuilder();
> Document document = db.parse(<XML Source>);
> Model model = (Model) unmarshaller.unmarshal(document);
> **********************
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
