-
Notifications
You must be signed in to change notification settings - Fork 55
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Activated defense against XML eXternal Entity (XXE) attacks
- Loading branch information
Showing
2 changed files
with
26 additions
and
17 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
494f821
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vruusmann would you be willing to back-port this to branches 1.3 and 1.2 and consider a new release of those? AFAICT this might affect Spark, and there are versions still using the older JPMML. Or if I tried to back-port, would that help?
494f821
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@srowen Defense against XEE and XXE attacks is achieved simply by activating some
XMLReader
configuration options. It was previously mentioned in the README file, but I doubt that many end users actually noticed and cared about it all.This commit simply activates those configuration options for most common JPMML-Model unmarshalling utility methods.
Don't know if backporting this commit alone is worth it. There were some API changes right before and after it, which aimed to make the SAX filtering more unified and intuitive (eg. a SAX filter for skipping whitespace characters - used to be stored in JAXB class model classes, and consume loads of memory).
Apache Spark is PMML producer. This attack vector is more relevant for PMML consumers, which may be exposed to malevolent content (eg. XML upload by third parties).
494f821
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah on a second look, I don't see that Spark would unmarshal XML, so I don't know if it's even affected. Thanks!