Saikiran Boga created TINKERPOP-2589:
----------------------------------------
Summary: XML External Entity (XXE) vulnerability
Key: TINKERPOP-2589
URL: https://issues.apache.org/jira/browse/TINKERPOP-2589
Project: TinkerPop
Issue Type: Bug
Components: structure
Reporter: Saikiran Boga
Found this from a security vulnerability scan. The following usage in
gremlin-core package allows reading XML input stream and could potentially lead
to XXE attack.
In general, when XML input containing a reference to an external entity is
processed by a weakly configured XML parser, it can lead to an XML external
entity (XXE) attack.
[https://github.com/apache/tinkerpop/blob/master/gremlin-core/src/main/java/org/apache/tinkerpop/gremlin/structure/io/graphml/GraphMLReader.java#L396]
More details on the vulnerability:
[https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing]
How to Fix:
[https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser]
Setting these properties on the XML factory should fix this:
{code:java}
inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES,
false);
inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
