Skip to content

Commit

Permalink
Fix CWE-611
Browse files Browse the repository at this point in the history
This commit fixes the issue described on
https://cwe.mitre.org/data/definitions/611.html

Nb: it's mostly the same as ad6615b but
with an added reference to org.apache.xerces in order to avoid the
AbstractMethodError that was experienced by users back then.

Nb2: writting down the payload with which I tested this patch, in case I
need to run this test again in the future:

    <?xml version="1.0"?>
    <!DOCTYPE replace [<!ENTITY ent SYSTEM "http://localhost/malware"> ]>
    <methodResponse>
        <params>
            <param>
               <value><string>&ent;</string></value>
            </param>
        </params>
    </methodResponse>
  • Loading branch information
gturri committed Jan 25, 2024
1 parent ff23c94 commit 456752e
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 1 deletion.
1 change: 1 addition & 0 deletions Changelog
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
Fix security issue CWE-611
Add support for CDATA section in the server response

1.13.0
Expand Down
5 changes: 5 additions & 0 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,11 @@
<artifactId>jISO8601</artifactId>
<version>0.2</version>
</dependency>
<dependency>
<groupId>xerces</groupId>
<artifactId>xercesImpl</artifactId>
<version>2.12.2</version>
</dependency>
<dependency>
<groupId>com.github.tomakehurst</groupId>
<artifactId>wiremock-jre8</artifactId>
Expand Down
11 changes: 10 additions & 1 deletion src/main/java/de/timroes/axmlrpc/ResponseParser.java
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@

import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Transformer;
import javax.xml.transform.TransformerException;
Expand Down Expand Up @@ -45,9 +46,17 @@ public class ResponseParser {
public Object parse(SerializerHandler serializerHandler, InputStream response, boolean debugMode) throws XMLRPCException {

try {

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();

// Ensure the xml parser won't allow exploitation of the vuln CWE-611
// (described on https://cwe.mitre.org/data/definitions/611.html )
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setExpandEntityReferences(false);
factory.setNamespaceAware(true);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
// End of the configuration of the parser for CWE-611

DocumentBuilder builder = factory.newDocumentBuilder();
Document dom = builder.parse(response);
if (debugMode ){
Expand Down

0 comments on commit 456752e

Please sign in to comment.