[
https://issues.apache.org/jira/browse/TINKERPOP-2320?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Mallette closed TINKERPOP-2320.
---------------------------------------
Fix Version/s: 3.3.10
3.4.5
3.5.0
Assignee: Stephen Mallette
Resolution: Done
> [SECURITY] XMLInputFactory initialization in GraphMLReader introduces
> ----------------------------------------------------------------------
>
> Key: TINKERPOP-2320
> URL: https://issues.apache.org/jira/browse/TINKERPOP-2320
> Project: TinkerPop
> Issue Type: Improvement
> Components: io
> Affects Versions: 3.4.4
> Reporter: Norio Akagi
> Assignee: Stephen Mallette
> Priority: Major
> Fix For: 3.5.0, 3.4.5, 3.3.10
>
>
> I use TinkerPop in my company and now the security team had audits and
> reported that this part in GraphML reader may introduce XXE vulnerabilities.
> {{private final XMLInputFactory inputFactory =
> XMLInputFactory.newInstance();}}
> Some document recommends to add some properties to protect it as follows:
> [https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser]
> So I am wondering if I can either
> 1. just hard-code to set these properties in the constructor of GraphMLReader
> (it will break the existing behavior if users use it)
> 2. somehow make these properties configurable so that we can pass some flags
> and depending on the flags, we initialize GraphMLReader with those properties.
> Any recommendation ? I am happy to add implementation to handle it but need
> some input which direction I'd take.
> Thanks.
> Norio
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
