Re: Fwd: XXE

2013-02-01 Thread Cezar Andrei
I'm not sure I understand exactly what you're looking for but I'll give
it a try.

It's possible to pass the exact XML parser that XMLBeans should use, see
http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader)
and
http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver()

Setting these options to your own parser and resolver should give you
the full control on what resources XMLBeans operates.

Cezar

On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote:
 Hello.
 
 I didn't get a bite on the question below posted to the user@xmlbeans
 list a couple of weeks ago so I am working up the chain ;)
 
 To restate the question, does xmlbeans use 'safe' defaults for xml
 parsing features to avoid XXE and DTD operations? Both are capable of
 exposing sensitive system documents and as conduit for XSS.
 
 And/or are the setting of parsing features exposed so that users of
 xmlbeans can set them?
 
 
 From the department of TMI, my immediate interest is in a project that
 uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me
 to xmlbeans under the assumption that they have no control over
 the parsing features used by xmlbeans.
 
 Can anyone here provide any insight?
 
 Thanks.
 Jp
 
 
 -- Forwarded message --
 From: Jon Gorrono jpgorr...@ucdavis.edu
 Date: Mon, Jan 14, 2013 at 6:37 PM
 Subject: XXE
 To: u...@xmlbeans.apache.org
 
 
 Hello.
 
 There's been a lot going around lately about XML External Entity
 definitions and how they (and related constructs) can be exploited in
 nefarious ways.
 
 Does xmlbeans set safe defaults for 'features' on xml processors? If
 not, are the base objects accessible to developers (users of xmlbeans)
 so that processing 'features' can be set?
 
 Thanks
 
 
 --
 Jon Gorrono
 PGP Key: 0x5434509D -
 http{pgp.mit.edu:11371/pks/lookup?search=0x5434509Dop=index}
 http{middleware.ucdavis.edu}
 
 
 --
 Jon Gorrono
 PGP Key: 0x5434509D -
 http{pgp.mit.edu:11371/pks/lookup?search=0x5434509Dop=index}
 http{middleware.ucdavis.edu}
 
 -
 To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
 For additional commands, e-mail: dev-h...@xmlbeans.apache.org
 



-
To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
For additional commands, e-mail: dev-h...@xmlbeans.apache.org



Re: Fwd: XXE

2013-02-01 Thread Jon Gorrono
OK, thanks... that makes sense...

...the term 'feature' I was using from from xerces docs where they use
to term to set parsing options on the SAX DocumentBuilderFactory here:

http://xerces.apache.org/xerces2-j/features.html

We've been able show that we can block the vector by setting the
following features there:

builderFactory.setFeature(http://xml.org/sax/features/external-general-entities;,
false);
builderFactory.setFeature(http://xml.org/sax/features/external-parameter-entities;,
false);
builderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true)

Now I just have to go find out if POI has a way to get at xmlbeans :)

Thanks again.
Jp





On Fri, Feb 1, 2013 at 9:38 AM, Cezar Andrei cezar.and...@oracle.com wrote:
 I'm not sure I understand exactly what you're looking for but I'll give
 it a try.

 It's possible to pass the exact XML parser that XMLBeans should use, see
 http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseXMLReader(org.xml.sax.XMLReader)
 and
 http://xmlbeans.apache.org/docs/2.6.0/reference/org/apache/xmlbeans/XmlOptions.html#setLoadUseDefaultResolver()

 Setting these options to your own parser and resolver should give you
 the full control on what resources XMLBeans operates.

 Cezar

 On Wed, 2013-01-30 at 16:40 -0800, Jon Gorrono wrote:
 Hello.

 I didn't get a bite on the question below posted to the user@xmlbeans
 list a couple of weeks ago so I am working up the chain ;)

 To restate the question, does xmlbeans use 'safe' defaults for xml
 parsing features to avoid XXE and DTD operations? Both are capable of
 exposing sensitive system documents and as conduit for XSS.

 And/or are the setting of parsing features exposed so that users of
 xmlbeans can set them?


 From the department of TMI, my immediate interest is in a project that
 uses POI and poi uses xmlbeans to parse ooxml documents. POI punted me
 to xmlbeans under the assumption that they have no control over
 the parsing features used by xmlbeans.

 Can anyone here provide any insight?

 Thanks.
 Jp


 -- Forwarded message --
 From: Jon Gorrono jpgorr...@ucdavis.edu
 Date: Mon, Jan 14, 2013 at 6:37 PM
 Subject: XXE
 To: u...@xmlbeans.apache.org


 Hello.

 There's been a lot going around lately about XML External Entity
 definitions and how they (and related constructs) can be exploited in
 nefarious ways.

 Does xmlbeans set safe defaults for 'features' on xml processors? If
 not, are the base objects accessible to developers (users of xmlbeans)
 so that processing 'features' can be set?

 Thanks


 --
 Jon Gorrono
 PGP Key: 0x5434509D -
 http{pgp.mit.edu:11371/pks/lookup?search=0x5434509Dop=index}
 http{middleware.ucdavis.edu}


 --
 Jon Gorrono
 PGP Key: 0x5434509D -
 http{pgp.mit.edu:11371/pks/lookup?search=0x5434509Dop=index}
 http{middleware.ucdavis.edu}

 -
 To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
 For additional commands, e-mail: dev-h...@xmlbeans.apache.org




 -
 To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
 For additional commands, e-mail: dev-h...@xmlbeans.apache.org




-- 
Jon Gorrono
PGP Key: 0x5434509D -
http{pgp.mit.edu:11371/pks/lookup?search=0x5434509Dop=index}
http{middleware.ucdavis.edu}

-
To unsubscribe, e-mail: dev-unsubscr...@xmlbeans.apache.org
For additional commands, e-mail: dev-h...@xmlbeans.apache.org