Perhaps you could show the code that you used to insert the document into the database.
I, personally, cannot get your code to work for a number of reasons. 1) having both an xml processing statement and an HTML doctype is invalid. 2) Trying to assign the "document" to a variable throws an error because of #1. 3) If I try to put the "document" below into a file on the file system and load it I cannot use xdmp:document-insert() to insert the "document" into the database because there isn't a valid node. There may be something I have overlooked so please share the code you used to insert this document into a database. -Keith From: general-boun...@developer.marklogic.com <general-boun...@developer.marklogic.com> On Behalf Of Marcel de Kleine Sent: Wednesday, March 14, 2018 6:43 AM To: general@developer.marklogic.com Subject: [MarkLogic Dev General] Marklogic XXE and XML Bomb prevention Hello, We have noticed Marklogic is vulnerable to xxe (entity expansion) and xml bomb attacks. When loading an malicious document using xdmp:document-insert it won't catch these and cause either loading of unwanted external documents (xxe) and lockup of the system (xml bomb). For example, if I load this document : <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///c:/text.xml" >]> <foo>&xxe;</foo> The file test.xml gets nicely added to the xml document. See OWASP and others for examples. This is clearly a xml processing issue so the question is : can we disable this? And if so, on what levels would this be possible. Best should be system-wide. ( And if you cannot disable this, I think this is something ML should address immediately. Thank you in advance, Marcel de Kleine, EPAM Marcel de Kleine Senior Software Engineer Office: +31 20 241 6134 x 30530<tel:+31%2020%20241%206134;ext=30530> Cell: +31 6 14806016<tel:+31%206%2014806016> Email: marcel_de_kle...@epam.com<mailto:marcel_de_kle...@epam.com> Delft, Netherlands epam.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.epam.com&d=DwMFAg&c=z0adcvxXWKG6LAMN6dVEqQ&r=wQ09nIebnRJGH1VgSesPfFnvXo10BKdu-taGZQaoghw&m=yiUEuOMjMBUR5ccv3Gi1vFMsW6pyEFhtMdzfpZtXd7g&s=a20FyQ4Tr_pZurrcjmEjQUs0A9Nd3NR48cC-wrqcKGA&e=> CONFIDENTIALITY CAUTION AND DISCLAIMER This message is intended only for the use of the individual(s) or entity(ies) to which it is addressed and contains information that is legally privileged and confidential. If you are not the intended recipient, or the person responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. All unintended recipients are obliged to delete this message and destroy any printed copies.
_______________________________________________ General mailing list General@developer.marklogic.com Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
