Re: [basex-talk] SSL support for BaseX REST API

[Andy Bunce]

I have been trying this out recently, in part to look at service workers
[1]
I am using  BaseX 9 betas for this. This has a newer jetty version.
I have put a jetty.xml that is working for me as a gist [2]

You will need to change the keystore location [3] to something that points
to your keystore.
It is based on the jetty9 article [4]

/Andy

https://w3c.github.io/ServiceWorker/
https://gist.github.com/apb2006/b24e92f84c42838ec7ef7de2cf937835
https://gist.github.com/apb2006/b24e92f84c42838ec7ef7de2cf937835#file-jetty-xml-L57
https://www.blackpepper.co.uk/what-we-think/blog/jetty-runner-https-xml-configuration


On 14 March 2018 at 20:59, Liam R. E. Quin  wrote:

> On Wed, 2018-03-14 at 14:18 -0500, Giavanna J Richards wrote:
> > I'm trying to determine how to enable SSL communications with the
> > BaseX server
>
> I don't know if this helps, but I run BaseX listening only to
> "localhost" so that SSL isn't an issue (as a connection to localhost
> doesn't normally go over a network), and connect (on the same system)
> from PHP or Perl (!) or you can proxy via apache.
>
> If BaseX is running on a different computer, you could also proxy on
> the system running BaseX e.g. with apache and .htaccess or the server
> conf & mod_rewrite. That way you'd use SSL to get to apache and then an
> in-memory connection from there to BaseX.
>
> Liam
>
> --
> Liam Quin, W3C, http://www.w3.org/People/Quin/
> Staff contact for Verifiable Claims WG, SVG WG, XQuery WG
> Improving Web Advertising: https://www.w3.org/community/web-adv/
> Personal: awesome vintage art: http://www.fromoldbooks.org/
>

Re: [basex-talk] SSL support for BaseX REST API

[Liam R. E. Quin]

On Wed, 2018-03-14 at 14:18 -0500, Giavanna J Richards wrote:
> I'm trying to determine how to enable SSL communications with the
> BaseX server

I don't know if this helps, but I run BaseX listening only to
"localhost" so that SSL isn't an issue (as a connection to localhost
doesn't normally go over a network), and connect (on the same system)
from PHP or Perl (!) or you can proxy via apache.

If BaseX is running on a different computer, you could also proxy on
the system running BaseX e.g. with apache and .htaccess or the server
conf & mod_rewrite. That way you'd use SSL to get to apache and then an
in-memory connection from there to BaseX.

Liam

-- 
Liam Quin, W3C, http://www.w3.org/People/Quin/
Staff contact for Verifiable Claims WG, SVG WG, XQuery WG
Improving Web Advertising: https://www.w3.org/community/web-adv/
Personal: awesome vintage art: http://www.fromoldbooks.org/

Re: [basex-talk] TR: Marklogic XXE and XML Bomb prevention

[Christian Grün]

Bridger, thanks a lot for the good reminder!


Bridger Dyson-Smith  schrieb am Mi., 14. März 2018,
21:29:

> Forwarding/replying to the list, since I'm officially Bad At Email.
>
> On Wed, Mar 14, 2018 at 11:56 AM, Bridger Dyson-Smith <
> bdysonsm...@gmail.com> wrote:
>
>> Hi Fabrice -
>>
>> On Wed, Mar 14, 2018 at 11:28 AM, Fabrice ETANCHAUD <
>> fetanch...@pch.cerfrance.fr> wrote:
>>
>>> Hello,
>>>
>>>
>>>
>>> I found this MarkLogic post interesting,
>>>
>>> So I forward it to the BaseX users.
>>>
>>> I do not remember loading data I did not trust, but did somebody
>>> experience this kind of issue ?
>>>
>>>
>> I certainly haven't :) but clearly Christian, et al, have considered
>> something similar to this. The INTPARSE[1] option let's you use an internal
>> parser, instead of the standard Java parser.  There are options in the
>> BaseX GUI to use the INTPARSE *and* expand entities from DTDs, but I don't
>> know if those switches are available in the Options.
>>
>>>
>>>
>>> Best regards,
>>>
>>> Fabrice Etanchaud
>>>
>>>
>>>
>>
>> Hope that sheds some light on this. I tried the MarkLogic example using
>> the INTPARSE (and no DTDs/entity parsing) and created a database that
>> contains `` :).
>>
>> And on an additional test, again using the BaseX GUI, using the default
> Java Parser (both with and without the 'Parse DTDs and entities' option
> selected), databases were created that expanded the entity and inserted
> 
>   
> ONE
>   
> 
> into the db.
>
>
>> Best,
>> Bridger
>>
>> [1] http://docs.basex.org/wiki/Options#INTPARSE
>>
>> So... untrusted input? INTPARSE is your friend - unless you need to
> expand custom entities.
>
> Bridger
>
>
>>
>>
>>> *De :* general-boun...@developer.marklogic.com [mailto:
>>> general-boun...@developer.marklogic.com] *De la part de* Marcel de
>>> Kleine
>>> *Envoyé :* mercredi 14 mars 2018 13:43
>>> *À :* gene...@developer.marklogic.com
>>> *Objet :* [MarkLogic Dev General] Marklogic XXE and XML Bomb prevention
>>>
>>>
>>>
>>> Hello,
>>>
>>>
>>>
>>> We have noticed Marklogic is vulnerable to xxe (entity expansion) and
>>> xml bomb attacks. When loading an malicious document using
>>> xdmp:document-insert it won’t catch these and cause either loading of
>>> unwanted external documents (xxe) and lockup of the system (xml bomb).
>>>
>>>
>>>
>>> For example, if I load this document :
>>>
>>> 
>>>
>>> >>
>>>
>>>
>>>]>
>>>
>>> 
>>>
>>>
>>>
>>> The file test.xml gets nicely added to the xml document.
>>>
>>>
>>>
>>> See OWASP and others for examples.
>>>
>>>
>>>
>>> This is clearly a xml processing issue so the question is : can we
>>> disable this? And if so, on what levels would this be possible. Best should
>>> be system-wide.
>>>
>>> ( And if you cannot disable this, I think this is something ML should
>>> address immediately.
>>>
>>>
>>>
>>> Thank you in advance,
>>>
>>> Marcel de Kleine, EPAM
>>>
>>>
>>>
>>> *Marcel de Kleine*
>>>
>>> *Senior Software Engineer*
>>>
>>>
>>>
>>> *Office: *+31 20 241 6134 *x* 30530 <+31%2020%20241%206134;ext=30530>
>>> *Cell: *+31 6 14806016 <+31%206%2014806016>   *Email: *
>>> marcel_de_kle...@epam.com
>>>
>>> *Delft,* *Netherlands *  *epam.com *
>>>
>>>
>>>
>>> CONFIDENTIALITY CAUTION AND DISCLAIMER
>>> This message is intended only for the use of the individual(s) or
>>> entity(ies) to which it is addressed and contains information that is
>>> legally privileged and confidential. If you are not the intended recipient,
>>> or the person responsible for delivering the message to the intended
>>> recipient, you are hereby notified that any dissemination, distribution or
>>> copying of this communication is strictly prohibited. All unintended
>>> recipients are obliged to delete this message and destroy any printed
>>> copies.
>>>
>>>
>>>
>>
>>
>

Re: [basex-talk] TR: Marklogic XXE and XML Bomb prevention

[Bridger Dyson-Smith]

Forwarding/replying to the list, since I'm officially Bad At Email.

On Wed, Mar 14, 2018 at 11:56 AM, Bridger Dyson-Smith  wrote:

> Hi Fabrice -
>
> On Wed, Mar 14, 2018 at 11:28 AM, Fabrice ETANCHAUD <
> fetanch...@pch.cerfrance.fr> wrote:
>
>> Hello,
>>
>>
>>
>> I found this MarkLogic post interesting,
>>
>> So I forward it to the BaseX users.
>>
>> I do not remember loading data I did not trust, but did somebody
>> experience this kind of issue ?
>>
>>
> I certainly haven't :) but clearly Christian, et al, have considered
> something similar to this. The INTPARSE[1] option let's you use an internal
> parser, instead of the standard Java parser.  There are options in the
> BaseX GUI to use the INTPARSE *and* expand entities from DTDs, but I don't
> know if those switches are available in the Options.
>
>>
>>
>> Best regards,
>>
>> Fabrice Etanchaud
>>
>>
>>
>
> Hope that sheds some light on this. I tried the MarkLogic example using
> the INTPARSE (and no DTDs/entity parsing) and created a database that
> contains `` :).
>
> And on an additional test, again using the BaseX GUI, using the default
Java Parser (both with and without the 'Parse DTDs and entities' option
selected), databases were created that expanded the entity and inserted

  
ONE
  

into the db.


> Best,
> Bridger
>
> [1] http://docs.basex.org/wiki/Options#INTPARSE
>
> So... untrusted input? INTPARSE is your friend - unless you need to expand
custom entities.

Bridger


>
>
>> *De :* general-boun...@developer.marklogic.com [mailto:
>> general-boun...@developer.marklogic.com] *De la part de* Marcel de Kleine
>> *Envoyé :* mercredi 14 mars 2018 13:43
>> *À :* gene...@developer.marklogic.com
>> *Objet :* [MarkLogic Dev General] Marklogic XXE and XML Bomb prevention
>>
>>
>>
>> Hello,
>>
>>
>>
>> We have noticed Marklogic is vulnerable to xxe (entity expansion) and xml
>> bomb attacks. When loading an malicious document using xdmp:document-insert
>> it won’t catch these and cause either loading of unwanted external
>> documents (xxe) and lockup of the system (xml bomb).
>>
>>
>>
>> For example, if I load this document :
>>
>> 
>>
>> >
>>
>>
>>]>
>>
>> 
>>
>>
>>
>> The file test.xml gets nicely added to the xml document.
>>
>>
>>
>> See OWASP and others for examples.
>>
>>
>>
>> This is clearly a xml processing issue so the question is : can we
>> disable this? And if so, on what levels would this be possible. Best should
>> be system-wide.
>>
>> ( And if you cannot disable this, I think this is something ML should
>> address immediately.
>>
>>
>>
>> Thank you in advance,
>>
>> Marcel de Kleine, EPAM
>>
>>
>>
>> *Marcel de Kleine*
>>
>> *Senior Software Engineer*
>>
>>
>>
>> *Office: *+31 20 241 6134 *x* 30530 <+31%2020%20241%206134;ext=30530>
>> *Cell: *+31 6 14806016 <+31%206%2014806016>   *Email: *
>> marcel_de_kle...@epam.com
>>
>> *Delft,* *Netherlands *  *epam.com *
>>
>>
>>
>> CONFIDENTIALITY CAUTION AND DISCLAIMER
>> This message is intended only for the use of the individual(s) or
>> entity(ies) to which it is addressed and contains information that is
>> legally privileged and confidential. If you are not the intended recipient,
>> or the person responsible for delivering the message to the intended
>> recipient, you are hereby notified that any dissemination, distribution or
>> copying of this communication is strictly prohibited. All unintended
>> recipients are obliged to delete this message and destroy any printed
>> copies.
>>
>>
>>
>
>

Re: [basex-talk] SSL support for BaseX REST API

[Christian Grün]

Hi Giavanna,

The SSL features has not been maintained anymore for a while now. With
BaseX 9.0, it will be completely removed, because the old solution is
not compatible anymore with Jetty 9. We may introduce it in future
once we find a good way to do. There is a StackOverflow question that
relates to this issue [1], but no helpful answer was given so far.
Suggestions from users who use Jetty and SSL are welcome.

All the best,
Christian

[1] 
https://stackoverflow.com/questions/32734920/using-jetty-9-and-jetty-xml-with-basex




On Wed, Mar 14, 2018 at 8:18 PM, Giavanna J Richards
 wrote:
> I'm trying to determine how to enable SSL communications with the BaseX
> server,  I have a java server which communicates with BaseX over its REST
> API for running xquery's.  I see in the BaseX changelog that SSL support was
> added to version 7.5 in 2012 but I haven't been able to find any references
> to it in the documentation.
>
> I found some statements in the jetty.xml file which are commented out and
> would appear to enable SSL on port 8986.  But I'm not at all familiar with
> jetty.  Is there some documentation available for enabling this support?
>
> Thanks in advance!
>
> Giavanna Richards

Re: [basex-talk] TR: Marklogic XXE and XML Bomb prevention

[Christian Grün]

Hi Fabrice,

Thanks for the hint; definitely interesting to track down. Did you
already manage to trigger this behavior in BaseX (with the REST
interface, or anything else)?

Best,
Christian


On Wed, Mar 14, 2018 at 4:28 PM, Fabrice ETANCHAUD
 wrote:
> Hello,
>
>
>
> I found this MarkLogic post interesting,
>
> So I forward it to the BaseX users.
>
> I do not remember loading data I did not trust, but did somebody experience
> this kind of issue ?
>
>
>
> Best regards,
>
> Fabrice Etanchaud
>
>
>
> De : general-boun...@developer.marklogic.com
> [mailto:general-boun...@developer.marklogic.com] De la part de Marcel de
> Kleine
> Envoyé : mercredi 14 mars 2018 13:43
> À : gene...@developer.marklogic.com
> Objet : [MarkLogic Dev General] Marklogic XXE and XML Bomb prevention
>
>
>
> Hello,
>
>
>
> We have noticed Marklogic is vulnerable to xxe (entity expansion) and xml
> bomb attacks. When loading an malicious document using xdmp:document-insert
> it won’t catch these and cause either loading of unwanted external documents
> (xxe) and lockup of the system (xml bomb).
>
>
>
> For example, if I load this document :
>
> 
>
> 
>
>
>]>
>
> 
>
>
>
> The file test.xml gets nicely added to the xml document.
>
>
>
> See OWASP and others for examples.
>
>
>
> This is clearly a xml processing issue so the question is : can we disable
> this? And if so, on what levels would this be possible. Best should be
> system-wide.
>
> ( And if you cannot disable this, I think this is something ML should
> address immediately.
>
>
>
> Thank you in advance,
>
> Marcel de Kleine, EPAM
>
>
>
> Marcel de Kleine
>
> Senior Software Engineer
>
>
>
> Office: +31 20 241 6134 x 30530   Cell: +31 6 14806016   Email:
> marcel_de_kle...@epam.com
>
> Delft, Netherlands   epam.com
>
>
>
> CONFIDENTIALITY CAUTION AND DISCLAIMER
> This message is intended only for the use of the individual(s) or
> entity(ies) to which it is addressed and contains information that is
> legally privileged and confidential. If you are not the intended recipient,
> or the person responsible for delivering the message to the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. All unintended
> recipients are obliged to delete this message and destroy any printed
> copies.
>
>

[basex-talk] SSL support for BaseX REST API

[Giavanna J Richards]

I'm trying to determine how to enable SSL communications with the BaseX 
server,  I have a java server which communicates with BaseX over its REST 
API for running xquery's.  I see in the BaseX changelog that SSL support 
was added to version 7.5 in 2012 but I haven't been able to find any 
references to it in the documentation. 

I found some statements in the jetty.xml file which are commented out and 
would appear to enable SSL on port 8986.  But I'm not at all familiar with 
jetty.  Is there some documentation available for enabling this support?

Thanks in advance!

Giavanna Richards

[basex-talk] TR: Marklogic XXE and XML Bomb prevention

[Fabrice ETANCHAUD]

Hello,

I found this MarkLogic post interesting,
So I forward it to the BaseX users.
I do not remember loading data I did not trust, but did somebody experience 
this kind of issue ?

Best regards,
Fabrice Etanchaud

De : general-boun...@developer.marklogic.com 
[mailto:general-boun...@developer.marklogic.com] De la part de Marcel de Kleine
Envoyé : mercredi 14 mars 2018 13:43
À : gene...@developer.marklogic.com
Objet : [MarkLogic Dev General] Marklogic XXE and XML Bomb prevention

Hello,

We have noticed Marklogic is vulnerable to xxe (entity expansion) and xml bomb 
attacks. When loading an malicious document using xdmp:document-insert it won't 
catch these and cause either loading of unwanted external documents (xxe) and 
lockup of the system (xml bomb).

For example, if I load this document :


   " >]>


The file test.xml gets nicely added to the xml document.

See OWASP and others for examples.

This is clearly a xml processing issue so the question is : can we disable 
this? And if so, on what levels would this be possible. Best should be 
system-wide.
( And if you cannot disable this, I think this is something ML should address 
immediately.

Thank you in advance,
Marcel de Kleine, EPAM

Marcel de Kleine
Senior Software Engineer

Office: +31 20 241 6134 x 30530   Cell: 
+31 6 14806016   Email: 
marcel_de_kle...@epam.com
Delft, Netherlands   epam.com

CONFIDENTIALITY CAUTION AND DISCLAIMER
This message is intended only for the use of the individual(s) or entity(ies) 
to which it is addressed and contains information that is legally privileged 
and confidential. If you are not the intended recipient, or the person 
responsible for delivering the message to the intended recipient, you are 
hereby notified that any dissemination, distribution or copying of this 
communication is strictly prohibited. All unintended recipients are obliged to 
delete this message and destroy any printed copies.