Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Preventing Denial of Service attack at the server side [SWS-873] #948

Closed
gregturn opened this issue Apr 15, 2014 · 4 comments
Closed

Preventing Denial of Service attack at the server side [SWS-873] #948

gregturn opened this issue Apr 15, 2014 · 4 comments
Assignees
Milestone

Comments

@gregturn
Copy link
Member

@gregturn gregturn commented Apr 15, 2014

Dinesh Angolkar opened SWS-873 and commented

Hi,
The request i am trying to send through WebServiceTemplate at the client side is as follows:-

<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">

]>
<lolz>&lol9;</lolz>

At the server side, i am extending "AxiomSoapMessageFactory" and overriding its "createXmlInputFactory()" method to create an instance of WstxInputFactory and injecting this in MessageDispatcherServlet. On the WstxInputFactory instance, i am setting "IS_REPLACING_ENTITY_REFERENCES" & "IS_SUPPORTING_EXTERNAL_ENTITIES" to "false".

However, when i am sending the above request the execution control goes to FrameworkServlet then DispatcherServlet but before even going to the MessageDispatcherServlet it fails throwing Java Heap Space Error.
It is trying to create a string Object using StringBuilder for the request xml, but the since the request xml has nested Entity references it throws Out Of Memory Exception.

Please see the attachment for the exception.

After debugging in detail i came to know that the Java Heap Space Error is first caught as InvocationTargetException in org.springframework.web.method.support.InvocableHandlerMethod.invoke().

Because of this the execution control is not going from the DispatcherServlet to the MessageDispatcherServlet.doService() method.

Please help me in resolving this Error.


Affects: 2.1.4

Attachments:

Referenced from: commits 09d614b

@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 15, 2014

Arjen Poutsma commented

I do not have access to Microsoft word. Could you attach the stracktrace in another format? Or better yet: past it in a comment in noformat tags?

@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 15, 2014

Dinesh Angolkar commented

org.springframework.web.util.NestedServletException: Handler processing failed; nested exception is java.lang.OutOfMemoryError: Java heap space
	at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:972)
	at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)
	at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)
	at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at com.cannontech.servlet.filter.GeneralSecurityFilter.doFilter(GeneralSecurityFilter.java:27)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at com.cannontech.servlet.filter.FacesFilter.doFilter(FacesFilter.java:38)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at com.cannontech.servlet.filter.TimerFilter.doFilter(TimerFilter.java:36)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at com.cannontech.web.util.ErrorHelperFilter.doFilter(ErrorHelperFilter.java:139)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at com.cannontech.web.login.LoginFilter.doFilter(LoginFilter.java:145)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1002)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:585)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:312)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.OutOfMemoryError: Java heap space
	at java.util.Arrays.copyOf(Arrays.java:2367)
	at java.lang.AbstractStringBuilder.expandCapacity(AbstractStringBuilder.java:130)
	at java.lang.AbstractStringBuilder.ensureCapacityInternal(AbstractStringBuilder.java:114)
	at java.lang.AbstractStringBuilder.append(AbstractStringBuilder.java:535)
	at java.lang.StringBuilder.append(StringBuilder.java:204)
	at com.sun.org.apache.xalan.internal.xsltc.trax.SAX2DOM.characters(SAX2DOM.java:117)
	at com.sun.org.apache.xml.internal.serializer.ToXMLSAXHandler.characters(ToXMLSAXHandler.java:546)
	at org.apache.xerces.parsers.AbstractSAXParser.characters(Unknown Source)
	at org.apache.xerces.impl.dtd.XMLDTDValidator.characters(Unknown Source)
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanContent(Unknown Source)
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
	at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
	at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
	at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
	at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transformIdentity(TransformerImpl.java:650)
	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:746)
	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:359)
	at org.springframework.ws.client.core.WebServiceTemplate$5.doWithMessage(WebServiceTemplate.java:496)
	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:573)
	at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:539)
	at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:494)
	at org.springframework.ws.client.core.WebServiceTemplate.sendSourceAndReceiveToResult(WebServiceTemplate.java:438)
	at com.cannontech.web.support.development.EimTestController.sendSoapRequest(EimTestController.java:162)
	at com.cannontech.web.support.development.EimTestController.executeRequest(EimTestController.java:127)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:219)
	at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
04/11/2014 15:31:51,533 IST [http-bio-8080-exec-5] ERROR 
@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 15, 2014

Arjen Poutsma commented

I don't think there is anything we can do about the particular issue you're running into.That said, disabling the "IS_REPLACING_ENTITY_REFERENCES" & "IS_SUPPORTING_EXTERNAL_ENTITIES" properties is a good idea by default. I've changed the AxiomSoapMessageFactory accordingly.

@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 15, 2014

Dinesh Angolkar commented

Is it possible to have a feature like "prohibitDtd" in the DispatcherServlet itself so that such malicious requests based on the Business needs can be handled appropriately without causing runtime errors.
We can find this feature in Microsoft .Net framework

@gregturn gregturn closed this Apr 15, 2014
@gregturn gregturn added this to the 2.2.RC1 milestone Sep 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants