[jira] [Created] (BATIK-1189) XML External Entity Injection

[Donald Kwakkel (JIRA)]

Donald Kwakkel created BATIK-1189:
-------------------------------------

             Summary: XML External Entity Injection
                 Key: BATIK-1189
                 URL: https://issues.apache.org/jira/browse/BATIK-1189
             Project: Batik
          Issue Type: Bug
    Affects Versions: 1.9
            Reporter: Donald Kwakkel
            Priority: Critical


XML parser/transformers does not prevent nor limit external entities 
resolution. This can expose the parser to an XML External Entities attack.

Following places:
# ImageIODebugUtil.dumpNode (TransformerFactory)
# NodePickerPanel.parseXml (DocumentBuilderFactory)
# SAXSVGDocumentFactory.resolveEntity (line 374 returns null, which fallbacks 
to default resolver)
#XMLInputHandler.handle (both Transormer and Document Factory)

For DocumentBuilderFactory you probably need to set:
{code}
                                
factory.setFeature("http://xml.org/sax/features/external-general-entities";, 
false);
                                
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";, 
false);
{code}
For TransformFactory:
{code}
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
{code}

Explanation:

XML External Entities attacks benefit from an XML feature to build documents 
dynamically at the time of processing. An XML entity allows inclusion of data 
dynamically from a given resource. External entities allow an XML document to 
include data from an external URI. Unless configured to do otherwise, external 
entities force the XML parser to access the resource specified by the URI, 
e.g., a file on the local machine or on a remote system. This behavior exposes 
the application to XML External Entity (XXE) attacks, which can be used to 
perform denial of service of the local system, gain unauthorized access to 
files on the local machine, scan remote machines, and perform denial of service 
of remote systems.

The following XML document shows an example of an XXE attack.
{code}
<?xml version="1.0" encoding="ISO-8859-1"?>
 <!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
{code}

This example could crash the server (on a UNIX system), if the XML parser 
attempts to substitute the entity with the contents of the /dev/random file.




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscr...@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-h...@xmlgraphics.apache.org