Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update: XML External Entity (XXE) Prevention Cheat Sheet #488

Closed
gilday opened this issue Sep 16, 2020 · 2 comments
Closed

Update: XML External Entity (XXE) Prevention Cheat Sheet #488

gilday opened this issue Sep 16, 2020 · 2 comments
Labels
ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.

Comments

@gilday
Copy link
Contributor

gilday commented Sep 16, 2020

The JAXB > Java 8 and Up sub-section on the XXE Cheat Sheet can be misleading. The advice in this section succinctly states

Since JDK-8010393, which is in OpenJDK 8 beta 86, javax.xml.bind.Unmarshaller instances are safe by default. The other classes mentioned here are still unsafe by default in Java 8.

This statement is too broad. It does not account for all the nuances that can lead the javax.xml.bind.Unmarshaller to be vulnerable or used in a way that is vulnerable on OpenJDK 1.8 based runtimes. An application parsing untrusted XML on an OpenJDK 1.8 runtime may be vulnerable to XXE if

  • the JAXB runtime has been inadvertently replaced with a different JAXB runtime that is not safe-by-default (e.g. EclipseLink MOXy)
  • the secure SAX parser that the OpenJDK 1.8 Unmarshaller uses has been inadvertently replaced with a different implementation that is not safe-by-default (e.g. xercesImpl:2.8.0)
  • the application uses one of the unmarshal overloads that does not delegate XML parsing to the safe-by-default SAX parser

Elaborating on that last point, even if the Unmarshaller is considered safe by default, not all of its unmarshal methods use the safe by default XMLReader. Calling unmarshal with any of the following argument types still requires the user to explicitly configure the XML parsing to be safe

  • javax.xml.transform.stream.SAXSource
  • org.w3c.dom.Node
  • javax.xml.stream.XMLStreamReader
  • javax.xml.stream.XMLEventReader

The following is a detailed analysis that explains why users should not rely on the safe by default nature of the Unmarshaller in OpenJDK 1.8 https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxb

Recommend removing this sub-section from the Cheat Sheet

@gilday gilday added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Sep 16, 2020
@jmanico
Copy link
Member

jmanico commented Sep 16, 2020

@mackowski
Copy link
Collaborator

mackowski commented Sep 17, 2020

Fixed in #488

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Development

No branches or pull requests

3 participants