Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable XML External Entity load in XmlUtil.java in tests #6133

Closed
ProDigySML opened this issue Sep 29, 2018 · 11 comments

Comments

Projects
None yet
4 participants
@ProDigySML
Copy link

commented Sep 29, 2018

The Issue

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Where the Issue Occurred

The following code snippets display the usage of XMLReader without securely disabling entities:

rawXml = builder.parse(new InputSource(new StringReader(code)));

@rnveach

This comment has been minimized.

Copy link
Member

commented Oct 2, 2018

checkstyle/src/test/java/com/puppycrawl/tools/checkstyle/internal/utils/XmlUtil.java

this is in the test folder so it is only executed when running the tests and wouldn't impact the released jar given to the public.

@ProDigySML You didn't find any issues with the code under the main folder? Like in https://github.com/checkstyle/checkstyle/blob/master/src/main/java/com/puppycrawl/tools/checkstyle/XmlLoader.java

@rnveach rnveach added the approved label Oct 2, 2018

@romani

This comment has been minimized.

Copy link
Member

commented Oct 19, 2018

@ProDigySML , please let us know how you detected this security issue.

If you know how to fix it, please let us know, or just send PR.

@ProDigySML

This comment has been minimized.

Copy link
Author

commented Oct 20, 2018

This was basically just reading code. Apologies, I didn't realise it was a test folder.

@romani

This comment has been minimized.

Copy link
Member

commented Oct 20, 2018

If you know how to fix it, please send Pull Request.

@JLLeitschuh

This comment has been minimized.

Copy link

commented Mar 14, 2019

@romani Has this also been resolved as part of #6474?

@rnveach

This comment has been minimized.

Copy link
Member

commented Mar 14, 2019

@JLLeitschuh No.
This issue is for test only code, XmlUtil. #6474 changed production code, XmlLoader.

@JLLeitschuh

This comment has been minimized.

Copy link

commented Mar 14, 2019

Okay. This should be closed then probably.
If you google "Checkstyle XXE", this is the first result. Just a heads up.

@rnveach

This comment has been minimized.

Copy link
Member

commented Mar 14, 2019

@JLLeitschuh The issue hasn't been fixed which is why it is still open. It won't affect users since it is only in test code.

@romani romani changed the title XXE in XmlUtil.java Disable XML External Entity load in XmlUtil.java in tests Mar 15, 2019

romani added a commit that referenced this issue Mar 15, 2019

rnveach added a commit that referenced this issue Mar 16, 2019

@rnveach

This comment has been minimized.

Copy link
Member

commented Mar 16, 2019

Fix was merged

@rnveach rnveach closed this Mar 16, 2019

@romani romani added this to the 8.19 milestone Mar 16, 2019

@romani

This comment has been minimized.

Copy link
Member

commented Mar 16, 2019

we deploy our test jar to maven central , example http://repo1.maven.org/maven2/com/puppycrawl/tools/checkstyle/8.18/ , so potentially users can reuse out tests classes in their applications/plugins/.... .

@JLLeitschuh

This comment has been minimized.

Copy link

commented Mar 16, 2019

@romani Since this was deployed, as a published consumable by users, does this warrant another CVE number?

@ProDigySML Did you see this vulnerability impacting your active development environment?

Vantuz added a commit to Vantuz/checkstyle that referenced this issue Apr 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.