Update: XML External Entity (XXE) Prevention Cheat Sheet

[gilday]

The JAXB > Java 8 and Up sub-section on the XXE Cheat Sheet can be misleading. The advice in this section succinctly states

Since JDK-8010393, which is in OpenJDK 8 beta 86, javax.xml.bind.Unmarshaller instances are safe by default. The other classes mentioned here are still unsafe by default in Java 8.

This statement is too broad. It does not account for all the nuances that can lead the javax.xml.bind.Unmarshaller to be vulnerable or used in a way that is vulnerable on OpenJDK 1.8 based runtimes. An application parsing untrusted XML on an OpenJDK 1.8 runtime may be vulnerable to XXE if

• the JAXB runtime has been inadvertently replaced with a different JAXB runtime that is not safe-by-default (e.g. EclipseLink MOXy)
• the secure SAX parser that the OpenJDK 1.8 Unmarshaller uses has been inadvertently replaced with a different implementation that is not safe-by-default (e.g. xercesImpl:2.8.0)
• the application uses one of the unmarshal overloads that does not delegate XML parsing to the safe-by-default SAX parser

Elaborating on that last point, even if the Unmarshaller is considered safe by default, not all of its unmarshal methods use the safe by default XMLReader. Calling unmarshal with any of the following argument types still requires the user to explicitly configure the XML parsing to be safe

• javax.xml.transform.stream.SAXSource
• org.w3c.dom.Node
• javax.xml.stream.XMLStreamReader
• javax.xml.stream.XMLEventReader

The following is a detailed analysis that explains why users should not rely on the safe by default nature of the Unmarshaller in OpenJDK 1.8 https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxb

Recommend removing this sub-section from the Cheat Sheet

[jmanico]

This is fantastic; I’ll address this over the weekend.

…

-- Jim Manico @manicode

On Sep 16, 2020, at 10:16 AM, Johnathan Gilday ***@***.***> wrote:  The JAXB > Java 8 and Up sub-section on the XXE Cheat Sheet can be misleading. The advice in this section succinctly states Since JDK-8010393, which is in OpenJDK 8 beta 86, javax.xml.bind.Unmarshaller instances are safe by default. The other classes mentioned here are still unsafe by default in Java 8. This statement is too broad. It does not account for all the nuances that can lead the javax.xml.bind.Unmarshaller to be vulnerable or used in a way that is vulnerable on OpenJDK 1.8 based runtimes. An application parsing untrusted XML on an OpenJDK 1.8 runtime may be vulnerable to XXE if the JAXB runtime has been inadvertently replaced with a different JAXB runtime that is not safe-by-default (e.g. EclipseLink MOXy) the secure SAX parser that the OpenJDK 1.8 Unmarshaller uses has been inadvertently replaced with a different implementation that is not safe-by-default (e.g. xercesImpl:2.8.0) the application uses one of the unmarshal overloads that does not delegate XML parsing to the safe-by-default SAX parser Elaborating on that last point, even if the Unmarshaller is considered safe by default, not all of its unmarshal methods use the safe by default XMLReader. Calling unmarshal with any of the following argument types still requires the user to explicitly configure the XML parsing to be safe javax.xml.transform.stream.SAXSource org.w3c.dom.Node javax.xml.stream.XMLStreamReader javax.xml.stream.XMLEventReader The following is a detailed analysis that explains why users should not rely on the safe by default nature of the Unmarshaller in OpenJDK 1.8 https://www.contrastsecurity.com/security-influencers/xml-xxe-pitfalls-with-jaxb Recommend removing this sub-section from the Cheat Sheet — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[mackowski]

Fixed in #488