New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OWASP XXE Vulnerability #25
Comments
This change causes problem when DOCTYPE with external DTD is present, and I don't want it to load. Please expose additional feature called "http://apache.org/xml/features/nonvalidating/load-external-dtd" and set it to false by default. |
Hi @wagjo, Do you have any test cases that demonstrate the behavior you're looking to have affected? Having examples added into the test suite will ensure the change you're requesting behaves as expected. Regards, Kyle |
For example, when parsing results from Pubmed, e.g. http://eutils.ncbi.nlm.nih.gov/entrez/eutils/esearch.fcgi?db=pubmed&term=cancer&reldate=60&datetype=edat&retmax=10 returned xml document has doctype and clj-xpath throws. The workaround is to enable validating DTD, but you are stuck if you want to skip loading DTD (either from performance or security reasons). |
@wagjo, looking at the documentation for load-external-dtd: https://xerces.apache.org/xerces2-j/features.html#nonvalidating.load-external-dtd It states "Note: This feature is always on when validation is on." which seems to be in conflict with what you're looking for (validation but no loading of the external dtd). I've tried setting load-external-dtd to false and validating to true, but the document builder still fetches the DTD. Are you aware of how to achieve the behavior you are asking for? Asking to perform validation but not fetch the DTDs necessary for validation sounds incompatible. Kyle |
Sorry if I was not clear. My goal is to not perform validation, nor load DTD. This is not currently possible in clj-xpath, in case the DOCTYPE statement is present in fetched XML. |
I'm afraid I'm running into this issue too - there's a DOCTYPE in the fetched XML, I don't want or need validation, and parsing fails with:
I can't see how to turn off this feature as it stands. |
Nick, do you know how to configure the java based xml parser to do what you want? If you can show an example of how to configure the settings, I can make sure clj-xpath exposes the ability to use it. Also, if you have a representative test case I will add it into the library. |
Pull request #27 provides fix. |
I believe it's something like this: documentBuilder.setAttribute("http://apache.org/xml/features/disallow-doctype-decl", I don't have a test case at the moment. Personally I'd be happy with On Mon, 14 Dec 2015 at 14:56 Kyle Burton notifications@github.com wrote:
|
Louis Nyffenegger informed me of the OWASP XXE Processing Vulnerability.
The proposed solution is to configure the dom parser with the following features and default values:
A patch, tests and a release will be forthcoming.
Kyle
The text was updated successfully, but these errors were encountered: