-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduced protections against XXE attacks #6
Introduced protections against XXE attacks #6
Conversation
@@ -79,5 +79,9 @@ | |||
<artifactId>jaxen</artifactId> | |||
<scope>test</scope> | |||
</dependency> | |||
<dependency> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This library holds security tools for protecting Java API calls.
License: MIT ✅ | Open source ✅ | More facts
@@ -86,4 +86,16 @@ | |||
</plugin> | |||
</plugins> | |||
</build> | |||
<dependencyManagement> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This library holds security tools for protecting Java API calls.
License: MIT ✅ | Open source ✅ | More facts
Unable to locate .performanceTestingBot config file |
Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information |
Micro-Learning Topic: External entity injection (Detected by phrase)Matched on "XXE"An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts. Try a challenge in Secure Code WarriorHelpful references
|
Check out the playback for this Pull Request here. |
Important Review SkippedBot user detected. To trigger a single review, invoke the You can disable this status message by setting the Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configration File (
|
protected <T> boolean hasThisXMLRootElement(AttachmentContent content, String rootElementNamespace, String rootElementName, User user, T context) throws TException { | ||
XMLInputFactory xmlif = XMLInputFactory.newFactory(); | ||
XMLInputFactory xmlif = hardenFactory(XMLInputFactory.newFactory()); | ||
XMLStreamReader xmlStreamReader = null; | ||
InputStream attachmentStream = null; | ||
try { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The method hasThisXMLRootElement
initializes resources such as XMLStreamReader
and InputStream
within a try block but does not explicitly close these resources, which can lead to resource leaks. It's recommended to use try-with-resources statement for both XMLStreamReader
and InputStream
to ensure they are closed properly, even if exceptions occur.
import com.google.common.collect.Sets; | ||
import static io.github.pixee.security.XMLInputFactorySecurity.hardenFactory; | ||
import org.apache.commons.lang.StringEscapeUtils; | ||
import org.apache.commons.lang3.StringUtils; | ||
import org.apache.logging.log4j.LogManager; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The usage of both org.apache.commons.lang.StringEscapeUtils
and org.apache.commons.lang3.StringUtils
from different versions of the Apache Commons Lang library could lead to confusion and potential compatibility issues. It's advisable to use a consistent version of the library across the project to avoid such issues. Consider migrating all usages to org.apache.commons.lang3
, which is the newer version, to ensure consistency and access to the latest features and bug fixes.
Sweep: PR ReviewAuthors of pull request: @pixeebot[bot] This pull request enhances the security of XML parsing in the project by integrating the The In The These changes collectively improve the security and robustness of XML parsing operations in the project.
|
} | |
protected <T> boolean hasThisXMLRootElement(AttachmentContent content, String rootElementNamespace, String rootElementName, User user, T context) throws TException { | |
XMLInputFactory xmlif = hardenFactory(XMLInputFactory.newFactory()); | |
XMLStreamReader xmlStreamReader = null; |
View Diff
Potential Issues
Sweep is unsure if these are issues, but they might be worth checking out.
backend/src/pom.xml
- The new dependency on
java-security-toolkit
may introduce compatibility issues if it conflicts with other dependencies in the project.
toshiba-sw360/backend/src/pom.xml
Lines 89 to 100 in 49ebb97
<dependencyManagement> | |
<dependencies> | |
<dependency> | |
<groupId>io.github.pixee</groupId> | |
<artifactId>java-security-toolkit</artifactId> | |
<version>${versions.java-security-toolkit}</version> | |
</dependency> | |
</dependencies> | |
</dependencyManagement> | |
<properties> | |
<versions.java-security-toolkit>1.1.3</versions.java-security-toolkit> | |
</properties> |
View Diff
I'm confident in this change, but I'm not a maintainer of this project. Do you see any reason not to merge it? If this change was not helpful, or you have suggestions for improvements, please let me know! |
Unless you're in the microscopic percentage of developers intentionally allowing external entities in XML on purpose, this change should be merged. In that case however, it should be noted that whoever is supplying XML to your code must be completely trusted. It should also be noted that the parser you think you're using may actually be different than the one you intend, since the Java XML system has conditions that allows libraries to insert themselves as the primary XML provider. If there are other concerns about this change, I'd love to hear about them! |
This change may not be a priority right now, so I'll close it. If there was something I could have done better, please let me know! You can also customize me to make sure I'm working with you in the way you want. |
This change updates all instances of XMLInputFactory to prevent them from resolving external entities, which can protect you from arbitrary code execution, sensitive data exfiltration, and probably a bunch more evil things attackers are still discovering.
Without this protection, attackers can cause your
XMLInputFactory
parser to retrieve sensitive information with attacks like this:Yes, it's pretty insane that this is the default behavior. Our change hardens the factories created with the necessary security features to prevent your parser from resolving external entities.
You could take our protections one step further by changing our supplied code to prevent the user from supplying a
DOCTYPE
, which is more aggressive and more secure, but also more likely to affect existing code behavior:More reading
I have additional improvements ready for this repo! If you want to see them, leave the comment:
... and I will open a new PR right away!
🧚🤖 Powered by Pixeebot
💬Feedback | 👥Community | 📚Docs | Codemod ID: pixee:java/harden-xmlinputfactory