TINKERPOP-2589 Prevent XXE with defaults of GraphMLReader CTR

apache · Jul 27, 2021 · 7c2c4f3 · 7c2c4f3
1 parent 8e3f9e5
commit 7c2c4f3
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 5 deletions.
diff --git a/.gitignore b/.gitignore
@@ -36,3 +36,4 @@ NuGet.Config
 nuget*.exe
 /Dockerfile
 docs/gremlint/
+gremlint/
diff --git a/CHANGELOG.asciidoc b/CHANGELOG.asciidoc
@@ -23,6 +23,8 @@ image::https://raw.githubusercontent.com/apache/tinkerpop/master/docs/static/ima
 [[release-3-4-13]]
 === TinkerPop 3.4.13 (Release Date: NOT OFFICIALLY RELEASED YET)
 
+* Prevented XML External Entity (XXE) style attacks via `GraphMLReader` by disabling DTD and external entities by default.
+
 [[release-3-4-12]]
 === TinkerPop 3.4.12 (Release Date: July 19, 2021)
 

diff --git a/...n-core/src/main/java/org/apache/tinkerpop/gremlin/structure/io/graphml/GraphMLReader.java b/...n-core/src/main/java/org/apache/tinkerpop/gremlin/structure/io/graphml/GraphMLReader.java
@@ -45,10 +45,10 @@
 import java.util.stream.Stream;
 
 /**
- * GraphMLReader writes the data from a GraphML stream to a graph.  Note that this format is lossy, in the sense that data
- * types and features of Gremlin Structure not supported by GraphML are not serialized.  This format is meant for
- * external export of a graph to tools outside of Gremlin Structure graphs.  Note that GraphML does not support
- * the notion of multi-properties or properties on properties.
+ * {@code GraphMLReader} writes the data from a GraphML stream to a graph.  Note that this format is lossy, in the
+ * sense that data types and features of Gremlin Structure not supported by GraphML are not serialized.  This format
+ * is meant for external export of a graph to tools outside of Gremlin Structure graphs.  Note that GraphML does not
+ * support the notion of multi-properties or properties on properties.
  *
  * @author Marko A. Rodriguez (http://markorodriguez.com)
  * @author Alex Averbuch (alex.averbuch@gmail.com)
@@ -384,7 +384,10 @@ public Builder batchSize(final long batchSize) {
         }
 
         /**
-         * the key to use as the inputFactory when a caller wants to pass XMLInputFactory with its own configuration.
+         * A custom {@code XMLInputFactory}. If this value is not set then a default one is constructed. The default
+         * will be configured to disable DTDs and support of external entities to prevent
+         * <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser">XXE</a>
+         * style attacks.
          */
         public Builder xmlInputFactory(final XMLInputFactory inputFactory) {
             this.inputFactory = inputFactory;
@@ -394,6 +397,11 @@ public Builder xmlInputFactory(final XMLInputFactory inputFactory) {
         public GraphMLReader create() {
             if (this.inputFactory == null) {
                 this.inputFactory = XMLInputFactory.newInstance();
+
+                // prevent XXE
+                // https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
+                inputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+                inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
             }
             return new GraphMLReader(this);
         }