On 16/04/2021 02:29, Reinier Zwitserloot wrote:
:
* An XML parser library may make network calls or open files on disk
due to e.g. XXE shenanigans: See
https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
<https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing>
– this isn't just plausible, we have plenty of proof that this has
caused significant security breaches multiple times in XML's history.
A SecurityManager that monitors (or outright denies) specifically the
network and disk access from an XML parser library would have meant
XXE attacks could never have happened.
The Security Developer's Guide has a good chapter on this topic [1] as
there many configuration knobs to restrict or disable "external access"
during XML processing. As things stand, running with a security manager
enables FEATURE_SECURE_PROCESSING globally but that is unfortunate
coupling and perhaps masks that the security features for XML processing
can be controlled programmatically, it doesn't require a security
manager to do that.
-Alan
[1]
https://docs.oracle.com/en/java/javase/16/security/java-api-xml-processing-jaxp-security-guide.html
