XXE and Nextcloud

[jvoisin]

Since some weeks Nextcloud itself calls libxml_set_external_entity_loader() to prevent any XML processing from loading external entities:

libxml_set_external_entity_loader(static function () {
	return null; 
});

Snuffleupagus logs this call if sp.xxe_protection.enable(); is enabled:

The problem is, that Nextcloud cannot parse its config.php if Snuffleupagus tries to nop the function:

Warning: [snuffleupagus][0.0.0.0][xxe][log] A call to libxml_set_external_entity_loader was tried and nopped in /nextcloud/lib/base.php on line 592
Config file has leading content, please remove everything before "<?php" in config.php
Fatal error: Uncaught Error: Typed static property OC::$server must not be accessed before initialization in /nextcloud/index.php:71 Stack trace: #0 {main} thrown in /nextcloud/index.php on line 71

More information about the issue here: hoellen/docker-nextcloud#42

[jvoisin]

I guess there is some logging-related shenenigans in how nextcloud handles configuration processing, as in it doesn't exploit Snuffleupagus to complain when it loads its configuration. I don't think there is much that can be done here from Snuffleupagus' side unfortunately.

Anyway, since Nextcloud is explicitly disabling XXE, there is no need to sp.xxe_protection.enable();; it can simply be replaced with something like this:

sp.disable_function.function("libxml_set_external_entity_loader").filename("/nextcloud/lib/base.php").allow(); 
sp.disable_function.function("libxml_set_external_entity_loader").drop(); 

[hoellen]

Thank you for your suggestion of dropping the call oflibxml_set_external_entity_loader.