[ https://issues.apache.org/jira/browse/OOZIE-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15237851#comment-15237851 ]
Robert Kanter commented on OOZIE-2489: -------------------------------------- +1 > XML parsing is vulnerable > ------------------------- > > Key: OOZIE-2489 > URL: https://issues.apache.org/jira/browse/OOZIE-2489 > Project: Oozie > Issue Type: Bug > Affects Versions: 4.1.0 > Reporter: Ferenc Denes > Assignee: Ferenc Denes > Labels: security, xml > Fix For: trunk > > Attachments: OOZIE-2489-1.patch, OOZIE-2489-2.patch, > OOZIE-2489-3.patch > > > The XML parsing has some security problems: > XML External Entity attack: > XML External Entities attacks benefit from an XML feature to build documents > dynamically at the time of processing. An XML entity allows inclusion of data > dynamically from a given resource. External entities allow an XML document to > include data from an external URI. Unless configured to do otherwise, > external entities force the XML parser to access the resource specified by > the URI, e.g., a file on the local machine or on a remote system. This > behavior exposes the application to XML External Entity (XXE) attacks, which > can be used to perform denial of service of the local system, gain > unauthorized access to files on the local machine, scan remote machines, and > perform denial of service of remote systems. > The following XML document shows an example of an XXE attack. > <?xml version="1.0" encoding="ISO-8859-1"?> > <!DOCTYPE foo [ > <!ELEMENT foo ANY > > <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo> > This example could crash the server (on a UNIX system), if the XML parser > attempts to substitute the entity with the contents of the /dev/random file. > XML Entity Expansion injection also known as XML Bombs are DoS attacks that > benefit from valid and well-formed XML blocks that expand exponentially until > they exhaust the server allocated resources. XML allows to define custom > entities which act as string substitution macros. By nesting recurrent entity > resolutions, an attacker can easily crash the server resources. > The following XML document shows an example of an XML Bomb. > <?xml version="1.0"?> > <!DOCTYPE lolz [ > <!ENTITY lol "lol"> > <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> > <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> > <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> > <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;"> > <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;"> > <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;"> > <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> > <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;"> > ]> > <lolz>&lol9;</lolz> > Both problems can be solved by setting features and parameters of the XML > parser factories. -- This message was sent by Atlassian JIRA (v6.3.4#6332)