'[jira] [Comment Edited] (BATIK-1189) XML External Entity Injection'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       batik-dev
Subject:    [jira] [Comment Edited] (BATIK-1189) XML External Entity Injection
From:       "Andrea Aime (JIRA)" <jira () apache ! org>
Date:       2018-03-26 14:00:00
Message-ID: JIRA.13074107.1495525979000.108373.1522072800642 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/BATIK-1189?page=com.atlassian.jira.plugin. \
system.issuetabpanels:comment-tabpanel&focusedCommentId=16413875#comment-16413875 ] 

Andrea Aime edited comment on BATIK-1189 at 3/26/18 1:59 PM:
-------------------------------------------------------------

I found this one after attempting an update from 1.7 to 1.9.1, in GeoTools we were \
already overriding resolveEntity in  SAXSVGDocumentFactory, but now it's no more \
being called and our XEE injection tests  do not pass anymore.

Unfortunately they are not a straight Batik usage without other dependencies, but I \
                guess you can have a look as a starting point for writing a test:
 * The test: [https://github.com/geotools/geotools/blob/master/modules/plugin/svg/src/test/java/org/geotools/renderer/style/SVGGraphicFactoryTest.java#L84]
                
 * The anonymous object with the resolveEntity override: \
[https://github.com/geotools/geotools/blob/master/modules/plugin/svg/src/main/java/org/geotools/renderer/style/SVGGraphicFactory.java#L151]



was (Author: aaime):
I found this one after attempting an update from 1.7 to 1.9.1, in GeoTools we were \
already overriding resolveEntity in  SAXSVGDocumentFactory, but now it's no more \
being called and our XeE injection tests  do not pass anymore.

Unfortunately they are not a straight Batik usage without other dependencies, but I \
                guess you can have a look as a starting point for writing a test:
 * The test: [https://github.com/geotools/geotools/blob/master/modules/plugin/svg/src/test/java/org/geotools/renderer/style/SVGGraphicFactoryTest.java#L84]
                
 * The anonymous object with the resolveEntity override: \
[https://github.com/geotools/geotools/blob/master/modules/plugin/svg/src/main/java/org/geotools/renderer/style/SVGGraphicFactory.java#L151]


> XML External Entity Injection
> -----------------------------
> 
> Key: BATIK-1189
> URL: https://issues.apache.org/jira/browse/BATIK-1189
> Project: Batik
> Issue Type: Bug
> Affects Versions: 1.9
> Reporter: Donald Kwakkel
> Priority: Critical
> 
> XML parser/transformers does not prevent nor limit external entities resolution. \
> This can expose the parser to an XML External Entities attack. Following places:
> # ImageIODebugUtil.dumpNode (TransformerFactory)
> # NodePickerPanel.parseXml (DocumentBuilderFactory)
> # SAXSVGDocumentFactory.resolveEntity (line 374 returns null, which fallbacks to \
> default resolver) #XMLInputHandler.handle (both Transormer and Document Factory)
> For DocumentBuilderFactory you probably need to set:
> {code}
> 				factory.setFeature("http://xml.org/sax/features/external-general-entities", \
> false);  factory.setFeature("http://xml.org/sax/features/external-parameter-entities", \
> false); {code}
> For TransformFactory:
> {code}
> factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
> {code}
> Explanation:
> XML External Entities attacks benefit from an XML feature to build documents \
> dynamically at the time of processing. An XML entity allows inclusion of data \
> dynamically from a given resource. External entities allow an XML document to \
> include data from an external URI. Unless configured to do otherwise, external \
> entities force the XML parser to access the resource specified by the URI, e.g., a \
> file on the local machine or on a remote system. This behavior exposes the \
> application to XML External Entity (XXE) attacks, which can be used to perform \
> denial of service of the local system, gain unauthorized access to files on the \
> local machine, scan remote machines, and perform denial of service of remote \
> systems. The following XML document shows an example of an XXE attack.
> {code}
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE foo [
> <!ELEMENT foo ANY >
> <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> {code}
> This example could crash the server (on a UNIX system), if the XML parser attempts \
> to substitute the entity with the contents of the /dev/random file.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic