Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XXE in Xml.java #931

Closed
prodigysml opened this issue Sep 29, 2018 · 0 comments
Closed

XXE in Xml.java #931

prodigysml opened this issue Sep 29, 2018 · 0 comments
Assignees
@conker84
Labels
Larus

Comments

@prodigysml
Copy link

The Issue

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Where the Issue Occurred

The following code snippets display the usage of DocumentBuilderFactory without securely disabling entities:

neo4j-apoc-procedures/src/main/java/apoc/load/Xml.java

Line 74 in 591f8ed

Document doc = documentBuilder.parse(Util.openInputStream(url, headers, null));

@jexp jexp added the Larus label Oct 24, 2018
conker84 added a commit to conker84/neo4j-apoc-procedures that referenced this issue Oct 25, 2018
@conker84
Fixes neo4j-contrib#931
fe99ce7
@jexp jexp closed this as completed in 45bc09c Oct 26, 2018
jexp pushed a commit that referenced this issue Nov 16, 2018
@conker84 @jexp
Fixes #931 (#962)
e04325c
@jexp jexp mentioned this issue May 1, 2019
Closed
@taseroth taseroth mentioned this issue May 22, 2019
Merged
jexp pushed a commit that referenced this issue May 23, 2019
@taseroth @jexp
allow loading of xml with DTD references, fixes #1185 (#1208)
cce30bb 
loading of xml files was previously forbidden (#931). With this change,
an dummy entity resolver is registered that does nothing, e.g. does not
load external files.
jexp pushed a commit that referenced this issue May 29, 2019
@taseroth @jexp
allow loading of xml with DTD references, fixes #1185 (#1208)
5cf5f95 
loading of xml files was previously forbidden (#931). With this change,
an dummy entity resolver is registered that does nothing, e.g. does not
load external files.
conker84 pushed a commit to conker84/neo4j-apoc-procedures that referenced this issue May 29, 2019
@taseroth @conker84
allow loading of xml with DTD references, fixes neo4j-contrib#1185 (n…
2d03f5a 
…eo4j-contrib#1208)

loading of xml files was previously forbidden (neo4j-contrib#931). With this change,
an dummy entity resolver is registered that does nothing, e.g. does not
load external files.
@elanzini elanzini mentioned this issue Jul 3, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@conker84 conker84

Labels
Larus
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jexp @conker84 @prodigysml