Here is the closest I been able to come to inserting the "document".
xquery version "1.0-ml";
let $doc := xdmp:unquote( xdmp:filesystem-file("C:/xxeInjection.xml") )
return (
$doc,
xdmp:document-insert( "/xxeInjection.xml", $doc)
)
Here is the contents of the xxeInjection.xml file are exactly as you specify
below.
However, when the file is loaded from the file system it is text and must be
unquoted ... xdmp:unquote() strips the invalid HTML DOCTYPE and we get:
<?xml version="1.0" encoding="UTF-8"?>
<foo>;</foo>
Could you please show us the code you used to insert the xxe injection
"document" unmodified?
-Keith
From: Keith Breinholt
Sent: Wednesday, March 14, 2018 11:07 AM
To: general@developer.marklogic.com
Subject: RE: Marklogic XXE and XML Bomb prevention
Perhaps you could show the code that you used to insert the document into the
database.
I, personally, cannot get your code to work for a number of reasons. 1) having
both an xml processing statement and an HTML doctype is invalid. 2) Trying to
assign the "document" to a variable throws an error because of #1. 3) If I try
to put the "document" below into a file on the file system and load it I cannot
use xdmp:document-insert() to insert the "document" into the database because
there isn't a valid node.
There may be something I have overlooked so please share the code you used to
insert this document into a database.
-Keith
From:
general-boun...@developer.marklogic.com<mailto:general-boun...@developer.marklogic.com>
<general-boun...@developer.marklogic.com<mailto:general-boun...@developer.marklogic.com>>
On Behalf Of Marcel de Kleine
Sent: Wednesday, March 14, 2018 6:43 AM
To: general@developer.marklogic.com<mailto:general@developer.marklogic.com>
Subject: [MarkLogic Dev General] Marklogic XXE and XML Bomb prevention
Hello,
We have noticed Marklogic is vulnerable to xxe (entity expansion) and xml bomb
attacks. When loading an malicious document using xdmp:document-insert it won't
catch these and cause either loading of unwanted external documents (xxe) and
lockup of the system (xml bomb).
For example, if I load this document :
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///c:/text.xml" >]>
<foo>&xxe;</foo>
The file test.xml gets nicely added to the xml document.
See OWASP and others for examples.
This is clearly a xml processing issue so the question is : can we disable
this? And if so, on what levels would this be possible. Best should be
system-wide.
( And if you cannot disable this, I think this is something ML should address
immediately.
Thank you in advance,
Marcel de Kleine, EPAM
Marcel de Kleine
Senior Software Engineer
Office: +31 20 241 6134 x 30530<tel:+31%2020%20241%206134;ext=30530> Cell:
+31 6 14806016<tel:+31%206%2014806016> Email:
marcel_de_kle...@epam.com<mailto:marcel_de_kle...@epam.com>
Delft, Netherlands
epam.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.epam.com&d=DwMFAg&c=z0adcvxXWKG6LAMN6dVEqQ&r=wQ09nIebnRJGH1VgSesPfFnvXo10BKdu-taGZQaoghw&m=yiUEuOMjMBUR5ccv3Gi1vFMsW6pyEFhtMdzfpZtXd7g&s=a20FyQ4Tr_pZurrcjmEjQUs0A9Nd3NR48cC-wrqcKGA&e=>
CONFIDENTIALITY CAUTION AND DISCLAIMER
This message is intended only for the use of the individual(s) or entity(ies)
to which it is addressed and contains information that is legally privileged
and confidential. If you are not the intended recipient, or the person
responsible for delivering the message to the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. All unintended recipients are obliged to
delete this message and destroy any printed copies.
_______________________________________________
General mailing list
General@developer.marklogic.com
Manage your subscription at:
http://developer.marklogic.com/mailman/listinfo/general
