Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
[core] Advisory - XXE attack on ruleset parsing #1650
This issue is for future reference.
As part of an unrelated security concern discussion regarding a possible remote code execution (which was discarded as impossible) on a separate issue, I found that our XML parsing wasn't hardened, allowing for XXE attacks.
When PMD is run, the ruleset XMLs were parsed with the default Java parser settings, which allowed an attacker to perform an XXE attack.
Rulesets can be either local files, or accessed through the network over http / https. So, depending on the context, this attack could require physical access to the machine, or be achieved through a man-in-the-middle attack.
The XXE attack can be used to perform information disclosure on the developer's machine, CI servers or other infrastructure running PMD; as well as denial of service attacks and request forgery.
All PMD versions up to PMD 6.0.0 are vulnerable.