[jira] [Commented] (TINKERPOP-2320) [SECURITY] XMLInputFactory initialization in GraphMLReader introduces

Mon, 16 Dec 2019 11:18:08 -0800 


    [ 
https://issues.apache.org/jira/browse/TINKERPOP-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16997569#comment-16997569
 ] 

ASF GitHub Bot commented on TINKERPOP-2320:
-------------------------------------------

rdtr commented on pull request #1235: TINKERPOP-2320 allow to pass custom 
XmlInputFactory when instantiating GraphMLReader
URL: https://github.com/apache/tinkerpop/pull/1235
 
 
   This pull request is a revised one from 
https://github.com/apache/tinkerpop/pull/1230.
   
   Some provider wants to use XMLInputFactory with more secure configurations. 
This change makes it possible to pass XMLInputFactory when instantiating 
GraphMLReader.
   
   I don't add any tests right now, I want to first confirm if this direction 
is OK. If yes, please suggest any tests that I need to add. Thanks !
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> [SECURITY] XMLInputFactory initialization in GraphMLReader introduces 
> ----------------------------------------------------------------------
>
>                 Key: TINKERPOP-2320
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2320
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: io
>    Affects Versions: 3.4.4
>            Reporter: Norio Akagi
>            Priority: Major
>
> I use TinkerPop in my company and now the security team had audits and 
> reported that this part in GraphML reader may introduce XXE vulnerabilities.
> {{private final XMLInputFactory inputFactory = 
> XMLInputFactory.newInstance();}}
> Some document recommends to add some properties to protect it as follows: 
> [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser]
> So I am wondering if I can either
> 1. just hard-code to set these properties in the constructor of GraphMLReader 
> (it will break the existing behavior if users use it)
> 2. somehow make these properties configurable so that we can pass some flags 
> and depending on the flags, we initialize GraphMLReader with those properties.
> Any recommendation ? I am happy to add implementation to handle it but need 
> some input which direction I'd take.
> Thanks.
> Norio



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to