Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix potential security risk when using Spring OXM [SPR-10806] #15432

Closed
spring-issuemaster opened this Issue Aug 5, 2013 · 0 comments

Comments

Projects
None yet
2 participants
@spring-issuemaster
Copy link
Collaborator

spring-issuemaster commented Aug 5, 2013

Arjen Poutsma opened SPR-10806 and commented

The issue is concerned with XML entity resolution. The idea is to use an XML entity to resolve to an local file on the host system (for instance, /etc/passwd). See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details. To resolve this issue, simply disable external entity resolution when dealing with XML from external sources. The way to do that depends on the XML API that you use.

DOM
When using DOM, simply set the expandEntityReferences property on the DocumentBuilderFactory to false. For instance:

DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setExpandEntityReferences(false);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.parse(externalSource);

SAX
When using SAX, set the "http://xml.org/sax/features/external-general-entities" feature on the XMLReader to false. For instance:

XMLReader xmlReader = XMLReaderFactory.createXMLReader();
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
xmlReader.parse(new InputSource(externalSource));

StAX
When using StAX, set the IS_REPLACING_ENTITY_REFERENCES property on the XMLInputFactory to false. For instance:

XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
XMLStreamReader reader = factory.createXMLStreamReader(externalSource);

Spring OXM

When using any of the Spring OXM Marshallers for unmarshalling from an external source, please use the code above to disable entity resolution before passing on a Source to the marshaller. For instance, when using DOM:

DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setExpandEntityReferences(false);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.parse(externalSource);
DOMSource source = new DOMSource(document);
Jaxb2Marshaller jaxb2Marshaller = ...
Object unmarshalled = jaxb2Marshaller.unmarshal(source);

Affects: 3.2.3

Attachments:

Issue Links:

  • #16003 Jaxb2RootElementHttpMessageConverter is susceptible to XXE vulnerability
  • #15704 Disable the processing of external entities in SourceHttpMessageConverter by default
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.