It is possible to perform an XML External Entity Injection attack in an XML files parsed by Geotools. Further details on XEE can be found here: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet A quick project put together to demonstrate the bug can be found here: https://github.com/aaronwaddell/geotools-xml-entity-injection The original StackExchange question regarding the issue can be found here: http://gis.stackexchange.com/questions/209377/prevent-xml-external-entity-injections-in-geotools-wms-client OWASP suggest disabling DTDs in order to prevent this kind of attack. It appears that Geotools was once doing this but the lines have since been commented out: org.geotools.xml.DocumentFactory:152-153. It is possible that this was done as a part of development some time ago and was never picked up on because of the lack unit tests for this class (the methods are static so I assume this is the reason). If disabling DTDs won't have a negative impact on dependent modules then I suggest we comment out these lines which had been confirmed to fix the issue. I also suggest that the use of PowerMock or the like is considered in order to allow for testing for static methods so that there is no regression. |