Samuel Hailemichael created XERCESJ-1758:
--------------------------------------------
Summary: XML validator xxe vulnerability
Key: XERCESJ-1758
URL: https://issues.apache.org/jira/browse/XERCESJ-1758
Project: Xerces2-J
Issue Type: Bug
Components: JAXP (javax.xml.validation)
Reporter: Samuel Hailemichael
During the implementation of Validator using apache xerces, setting features
that prevent XML External Entity are not working. When parsing through an XML
file, I consistently get DNS callbacks when attempting to load an external dtd
with a DOCTYPE declaration.
{*}{*}{*}Attempt 1{*}
{code:java}
SchemaFactory factory =
SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema";);
Schema schema = factory.newSchema(schemaSources);
Validator validator = schema.newValidator();
validator.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true);
validator.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
validator.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
validator.validate(new StreamSource(new ByteArrayInputStream(<xml file in byte
Array form that contains DOCTYPE>)));{code}
When using a validator it doesn't throw a fatal error exception when a document
containing a DOCTYPE declaration is being parsed. Here's an example of an
outbound call when an XML file containing a DOCTYPE declaration is being parsed
through the validator.
{code:java}
Caused by: java.io.IOException: Server returned HTTP response code: 403 for
URL:
https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1914)
at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1512)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown
Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(Unknown Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(Unknown
Source)
at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(Unknown Source)
at
org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(Unknown Source)
at
org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at
org.apache.xerces.jaxp.validation.StreamValidatorHelper.validate(Unknown Source)
at org.apache.xerces.jaxp.validation.ValidatorImpl.validate(Unknown
Source)
at javax.xml.validation.Validator.validate(Validator.java:124) {code}
Instead of an outbound call, it should throw an exception for a DOCTYPE
declation on the xml file. **
*Attempt 2*
{code:java}
SchemaFactory factory =
SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema";);
Schema schema = factory.newSchema();
Validator validator = schema.newValidator();
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
validator.validate(new StreamSource(new ByteArrayInputStream(<byte Array>)));
{code}
This implementation is the recommended way for external entity prevention for
validators but gives this error when implemented with xerces.
{code:java}
org.xml.sax.SAXNotRecognizedException: Property
'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
at org.apache.xerces.jaxp.validation.ValidatorImpl.setProperty(Unknown
Source) {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
