disallow DTD-processing (#11)

* The most significant change is the addition of a new line of code to the `RunCheck()` function in the `CCheckXmlMetadataXsdValidation` class. This change is aimed at enhancing the security of the application by preventing XML External Entity (XXE) attacks. Changes: 1. A new line of code `dom_parser.setDisableDefaultEntityResolution(true);` has been added to the `RunCheck()` function in the `CCheckXmlMetadataXsdValidation` class within the `checkerXmlMetadataXsdValidation.cpp` file. This line disables the default entity resolution of the `dom_parser` object, making the application less vulnerable to XXE attacks. This change is in line with the recommendations of the Open Web Application Security Project (OWASP) to prevent potential security threats such as disclosure of internal files, denial of service, server side request forgery, port scanning, and other system impacts. (Reference: `checkerXmlMetadataXsdValidation.cpp`) * bump version * fix version
ZEISS · May 13, 2024 · afc44dd · afc44dd
1 parent e9a12ef
commit afc44dd
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 1 deletion.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -5,7 +5,7 @@
 cmake_minimum_required(VERSION 3.15)
 
 project(CZICheck 
-      VERSION 0.2.0
+      VERSION 0.2.1
       HOMEPAGE_URL "https://github.com/ZEISS/czicheck"
       DESCRIPTION "CZICheck is a validator for CZI-documents")
 

diff --git a/CZICheck/checkers/checkerXmlMetadataXsdValidation.cpp b/CZICheck/checkers/checkerXmlMetadataXsdValidation.cpp
@@ -119,6 +119,7 @@ void CCheckXmlMetadataXsdValidation::RunCheck()
         dom_parser.setValidationConstraintFatal(true);
         dom_parser.setExitOnFirstFatalError(false);
         dom_parser.setExternalNoNamespaceSchemaLocation("");
+        dom_parser.setDisableDefaultEntityResolution(true); // Disable DTD processing in order to prevent XXE attacks (c.f. https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing).
 
         const MemBufInputSource czi_xml_metadata(reinterpret_cast<const XMLByte*>(xml.c_str()), xml.size(), "dummy", false);
         dom_parser.parse(czi_xml_metadata);

diff --git a/documentation/version-history.md b/documentation/version-history.md
@@ -7,3 +7,4 @@ version history                 {#version_history}
  0.1.1          | [4](https://github.com/ZEISS/czicheck/pull/4)        | update of metadata-schema (compression)
  0.1.2          | [9](https://github.com/ZEISS/czicheck/pull/9)        | add checker "subblkbitmapvalid"
  0.2.0          | [10](https://github.com/ZEISS/czicheck/pull/10)      | add checker "topographymetadata"
+ 0.2.1          | [11](https://github.com/ZEISS/czicheck/pull/11)      | disallow DTD-processing (prevent XXE-vulnerability)