[
https://issues.apache.org/jira/browse/JENA-2331?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17543156#comment-17543156
]
Andy Seaborne commented on JENA-2331:
-------------------------------------
Firstly: CVE-2021-39239 and CVE-2022-28890.
It seem the the environment installed Woodstox. Jena does not have a
dependency on woodstox.
Please provide a PR for (2) but note this may open XXE attacks. How is
CVE-2021-39239 addressed? What are the correct setting for Woodstox?
(1) negates the possibility that the user has chosen to install a different XML
parser which asks the question why they did it. Maybe it was intended to
override Jena's usage.
Note: the constant accessExternalDTD is defined by the JDK JEP-185 (Java8).
See the general advice for XXE:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser
> JenaXMLInput does not play well with Woodstox
> ---------------------------------------------
>
> Key: JENA-2331
> URL: https://issues.apache.org/jira/browse/JENA-2331
> Project: Apache Jena
> Issue Type: Bug
> Components: Core
> Affects Versions: Jena 4.5.0
> Reporter: Brian Vosburgh
> Priority: Major
>
> New in 4.5.0, {{JenaXMLInput}} initializes the loaded {{XMLInputFactory}}
> with at least one property that is not supported by the Woodstox StAX parser
> (see [https://github.com/FasterXML/woodstox/issues/51]). This results in a
> logged stack trace that looks like this:
> {code}
> ERROR [main] o.a.j.u.JenaXMLInput - Problem setting StAX property
> java.lang.IllegalArgumentException: Unrecognized property
> 'http://javax.xml.XMLConstants/property/accessExternalDTD'
> at
> com.ctc.wstx.api.CommonConfig.reportUnknownProperty(CommonConfig.java:167)
> ~[woodstox-core-6.2.7.jar:6.2.7]
> at com.ctc.wstx.api.CommonConfig.setProperty(CommonConfig.java:158)
> ~[woodstox-core-6.2.7.jar:6.2.7]
> at com.ctc.wstx.api.ReaderConfig.setProperty(ReaderConfig.java:35)
> ~[woodstox-core-6.2.7.jar:6.2.7]
> at
> com.ctc.wstx.stax.WstxInputFactory.setProperty(WstxInputFactory.java:400)
> ~[woodstox-core-6.2.7.jar:6.2.7]
> at
> org.apache.jena.util.JenaXMLInput.initXMLInputFactory(JenaXMLInput.java:81)
> ~[jena-core-4.5.0.jar:4.5.0]
> at org.apache.jena.util.JenaXMLInput.<clinit>(JenaXMLInput.java:90)
> ~[jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.rdfxml.xmlinput.impl.RDFXMLParser.create(RDFXMLParser.java:75)
> ~[jena-core-4.5.0.jar:4.5.0]
> at org.apache.jena.rdfxml.xmlinput.ARP.<init>(ARP.java:76)
> ~[jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.riot.lang.ReaderRIOTRDFXML.<init>(ReaderRIOTRDFXML.java:62)
> ~[jena-arq-4.5.0.jar:4.5.0]
> at
> org.apache.jena.riot.lang.ReaderRIOTRDFXML.lambda$static$0(ReaderRIOTRDFXML.java:59)
> ~[jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFParser.createReader(RDFParser.java:486)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFParser.createReader(RDFParser.java:480)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFParser.parseNotUri(RDFParser.java:399)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFParser.parse(RDFParser.java:356)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFParserBuilder.parse(RDFParserBuilder.java:568)
> [jena-arq-4.5.0.jar:4.5.0]
> at
> org.apache.jena.riot.RDFDataMgr.parseFromInputStream(RDFDataMgr.java:718)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFDataMgr.read(RDFDataMgr.java:253)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.riot.RDFDataMgr.read(RDFDataMgr.java:235)
> [jena-arq-4.5.0.jar:4.5.0]
> at
> org.apache.jena.riot.adapters.RDFReaderRIOT.read(RDFReaderRIOT.java:69)
> [jena-arq-4.5.0.jar:4.5.0]
> at org.apache.jena.rdf.model.impl.ModelCom.read(ModelCom.java:253)
> [jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.ontology.OntDocumentManager.findMetadata(OntDocumentManager.java:890)
> [jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.ontology.OntDocumentManager.initialiseMetadata(OntDocumentManager.java:848)
> [jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.ontology.OntDocumentManager.<init>(OntDocumentManager.java:196)
> [jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.ontology.OntDocumentManager.<init>(OntDocumentManager.java:178)
> [jena-core-4.5.0.jar:4.5.0]
> at
> org.apache.jena.ontology.OntDocumentManager.<init>(OntDocumentManager.java:162)
> [jena-core-4.5.0.jar:4.5.0]
> {code}
> Jena should probably do one of the following:
> * Instead of relying on whatever parser is discovered by
> {{{}XMLInputFactory.newInstance(){}}}, Jena can directly load the
> JDK-supplied parser, which supports these properties, by calling
> {{XMLInputFactory.newDefaultFactory()}} instead.
> * Jena can be a bit more robust when dealing with non-JDK parsers by
> wrapping each call to {{XMLInputFactory.setProperty(...)}} with a separate
> {{try-catch}} block and log any exception appropriately.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
