OWASP XXE Vulnerability

[kyleburton]

Louis Nyffenegger informed me of the OWASP XXE Processing Vulnerability.

The proposed solution is to configure the dom parser with the following features and default values:

(.setFeature XMLConstants/FEATURE_SECURE_PROCESSING (:feature-secure-processing   opts true))
(.setFeature disallow-doctype-decl                  (:disallow-doctype-decl       opts true))
(.setFeature external-general-entities              (:external-general-entities   opts false))
(.setFeature external-parameter-entities            (:external-parameter-entities opts false))

A patch, tests and a release will be forthcoming.

Kyle

[wagjo]

This change causes problem when DOCTYPE with external DTD is present, and I don't want it to load. Please expose additional feature called "http://apache.org/xml/features/nonvalidating/load-external-dtd" and set it to false by default.

[kyleburton]

Hi @wagjo,

Do you have any test cases that demonstrate the behavior you're looking to have affected? Having examples added into the test suite will ensure the change you're requesting behaves as expected.

Regards,

Kyle

[wagjo]

For example, when parsing results from Pubmed, e.g. http://eutils.ncbi.nlm.nih.gov/entrez/eutils/esearch.fcgi?db=pubmed&term=cancer&reldate=60&datetype=edat&retmax=10 returned xml document has doctype and clj-xpath throws. The workaround is to enable validating DTD, but you are stuck if you want to skip loading DTD (either from performance or security reasons).

[kyleburton]

@wagjo, looking at the documentation for load-external-dtd:

https://xerces.apache.org/xerces2-j/features.html#nonvalidating.load-external-dtd

It states "Note: This feature is always on when validation is on." which seems to be in conflict with what you're looking for (validation but no loading of the external dtd). I've tried setting load-external-dtd to false and validating to true, but the document builder still fetches the DTD. Are you aware of how to achieve the behavior you are asking for? Asking to perform validation but not fetch the DTDs necessary for validation sounds incompatible.

Kyle

[wagjo]

Sorry if I was not clear. My goal is to not perform validation, nor load DTD. This is not currently possible in clj-xpath, in case the DOCTYPE statement is present in fetched XML.

[nickcotter]

I'm afraid I'm running into this issue too - there's a DOCTYPE in the fetched XML, I don't want or need validation, and parsing fails with:

[Fatal Error] :2:10: DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl" set to true.

I can't see how to turn off this feature as it stands.

[kyleburton]

Nick, do you know how to configure the java based xml parser to do what you want? If you can show an example of how to configure the settings, I can make sure clj-xpath exposes the ability to use it. Also, if you have a representative test case I will add it into the library.

[wagjo]

Pull request #27 provides fix.

[nickcotter]

I believe it's something like this:

documentBuilder.setAttribute("http://apache.org/xml/features/disallow-doctype-decl",
Boolean.FALSE)

I don't have a test case at the moment. Personally I'd be happy with
ignoring the doc type as per Jozef Wagner's note about #27
#27.

On Mon, 14 Dec 2015 at 14:56 Kyle Burton notifications@github.com wrote:

Nick, do you know how to configure the java based xml parser to do what
you want? If you can show an example of how to configure the settings, I
can make sure clj-xpath exposes the ability to use it. Also, if you have a
representative test case I will add it into the library.

—
Reply to this email directly or view it on GitHub
#25 (comment)
.