Release 2.5.1

Author: Gematik-Entwicklung

ReleaseNotes.md

@@ -2,6 +2,11 @@
 
 # Release Notes Gematik Referenzvalidator
 
+## Release 2.5.1
+
+### fixed
+- declining XML resources with DTD instructions due to vulnerability to XML eXternal Entity injection and thus Server Side Request Forgery (SSRF) attacks
+
 ## Release 2.5.0
 
 ### added

cli/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>referencevalidator</artifactId>
         <groupId>de.gematik.refv</groupId>
-        <version>2.5.0</version>
+        <version>2.5.1</version>
     </parent>
     <properties>
         <integrationtest.folder>${basedir}/target/test-classes/pluginloader-integration-test</integrationtest.folder>
@@ -69,6 +69,7 @@
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>exec-maven-plugin</artifactId>
+                <version>${version.exec-maven-plugin}</version>
                 <executions>
                     <execution>
                         <id>verify-plugin-support</id>
@@ -106,11 +107,6 @@
             <groupId>info.picocli</groupId>
             <artifactId>picocli</artifactId>
         </dependency>
-        <dependency>
-            <groupId>org.mockito</groupId>
-            <artifactId>mockito-junit-jupiter</artifactId>
-            <scope>test</scope>
-        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>

cli/src/main/java/de/gematik/refv/cli/ReferenceValidator.java

@@ -132,6 +132,8 @@ public void run() {
                 configureAllLoggersToDebug();
             }
 
+            redirectAllTcpTrafficToNonExistingProxyAsPreventiveSSRFMeasure();
+
             ValidationModule validator = getValidationModule();
             if (validator == null) {
                 log.debug("No suitable validation module found");
@@ -158,6 +160,11 @@ public void run() {
         }
     }
 
+    private static void redirectAllTcpTrafficToNonExistingProxyAsPreventiveSSRFMeasure() {
+        System.setProperty("socksProxyHost", "localhost");
+        System.setProperty("socksProxyPort", "1080");
+    }
+
     private ValidationOptions getValidationOptions() {
         ValidationOptions validationOptions = ValidationOptions.getDefaults();
         if(profile != null)

commons/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>referencevalidator</artifactId>
         <groupId>de.gematik.refv</groupId>
-        <version>2.5.0</version>
+        <version>2.5.1</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

commons/src/main/java/de/gematik/refv/commons/validation/ReferencedProfileLocator.java

@@ -24,8 +24,10 @@
 
 import javax.xml.namespace.QName;
 import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.XMLInputFactory;
 import javax.xml.stream.XMLStreamException;
 import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.DTD;
 import javax.xml.stream.events.StartElement;
 import javax.xml.stream.events.XMLEvent;
 import java.io.IOException;
@@ -36,10 +38,15 @@
 @Slf4j
 public class ReferencedProfileLocator {
 
-    private static final WstxInputFactory inputFactory = new WstxInputFactory();
+    private static final WstxInputFactory inputFactory;
     private static final JsonFactory jsonfactory = new JsonFactory();
     private static final String PROFILE_STRING = "profile";
 
+    static {
+        inputFactory = new WstxInputFactory();
+        inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+    }
+
     public List<String> getAllReferencedProfilesInResource(String resourceBody) {
         List<String> allProfilesInResource;
 
@@ -65,8 +72,12 @@ private List<String> locateInXml(String resource) throws IllegalArgumentExceptio
             while (xmlEventReader.hasNext()) {
                 XMLEvent event = xmlEventReader.nextEvent();
 
+                if (event instanceof DTD)
+                    throw new SecurityException("DTD is not allowed");
+
                 if (event.isStartElement()) {
                     StartElement nextTag = event.asStartElement();
+
                     if (nextTag.getName().getLocalPart().equalsIgnoreCase("meta")) {
 
                         return locateProfileInMetaTagXml(xmlEventReader);

commons/src/test/java/de/gematik/refv/commons/security/XXETests.java

@@ -0,0 +1,69 @@
+/*
+ Copyright (c) 2022-2024 gematik GmbH
+
+ Licensed under the Apache License, Version 2.0 (the License);
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an 'AS IS' BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+
+package de.gematik.refv.commons.security;
+
+import de.gematik.refv.commons.helper.ValidationModuleFactory;
+import de.gematik.refv.commons.validation.ValidationModule;
+import lombok.SneakyThrows;
+import lombok.extern.slf4j.Slf4j;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+import static com.ibm.icu.impl.Assert.fail;
+
+/**
+ * Cf. <a href="https://en.wikipedia.org/wiki/XML_external_entity_attack#cite_note-3">XML external entity attack</a>
+ * Cf. <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">XML External Entity Prevention Cheat Sheet</a>
+ *
+ */
+@Slf4j
+public class XXETests {
+    private static ValidationModule validationModule;
+
+    @BeforeAll
+    @SneakyThrows
+    static void beforeAll() {
+        validationModule = ValidationModuleFactory.createInstance("simple");
+        validationModule.initialize();
+    }
+
+    @ParameterizedTest
+    @ValueSource(strings = {
+            "src/test/resources/security/xxe/doctype-system-url.xml",
+            "src/test/resources/security/xxe/doctype-system-file.xml",
+            "src/test/resources/security/xxe/doctype-internal-entity.xml",
+            "src/test/resources/security/xxe/dtd-element.xml"
+    })
+    @SneakyThrows
+    void DTDisNotAllowed(String path) {
+        try {
+            var result = validationModule.validateFile(path);
+            log.debug(result.toString());
+            fail("No exception is thrown");
+        } catch (IllegalArgumentException e) {
+            log.debug("Exception during validation", e);
+            assertCorrectSecurityException(e);
+        }
+    }
+
+    private void assertCorrectSecurityException(Throwable e) {
+        Assertions.assertNotNull(e.getCause(), "No security exception is thrown (cause empty)");
+        Assertions.assertInstanceOf(SecurityException.class, e.getCause(), "No security exception is thrown (wrong cause type)");
+    }
+}

commons/src/test/resources/security/xxe/doctype-internal-entity.xml

@@ -0,0 +1,25 @@
+<!DOCTYPE foo [<!ENTITY hello "hello"> ]>
+<Patient xmlns="http://hl7.org/fhir">
+    <id value="66033"/>
+    <meta>
+        <profile value="http://example.gematik.de/fhir/StructureDefinition/patient-with-birthdate|1.0.0" />
+        <tag value="asd">&hello;</tag>
+    </meta>
+    <text>
+        <status value="generated"/>
+        <div xmlns="http://www.w3.org/1999/xhtml">hello</div>
+    </text>
+    <identifier>
+        <system value="urn:oid:1.3.182.4.4"/>
+        <value value="1998041799999"/>
+    </identifier>
+    <identifier>
+        <system value="urn:ietf:rfc:3986"/>
+        <value value="urn:uuid:647515ed-0d5e-4c99-b23d-073fbc593f76"/>
+    </identifier>
+    <name>
+        <family value="Lux-Brennard"/>
+        <given value="Marie"/>
+    </name>
+    <birthDate value="2023-01-01"/>
+</Patient>

commons/src/test/resources/security/xxe/doctype-system-file.xml

@@ -0,0 +1,25 @@
+<!DOCTYPE foo [<!ENTITY getrequest SYSTEM "file:///c:/temp/test.txt"> ]>
+<Patient xmlns="http://hl7.org/fhir">
+    <id value="66033"/>
+    <meta>
+        <profile value="http://example.gematik.de/fhir/StructureDefinition/patient-with-birthdate|1.0.0" />
+        <tag value="asd">&getrequest;</tag>
+    </meta>
+    <text>
+        <status value="generated"/>
+        <div xmlns="http://www.w3.org/1999/xhtml">hello</div>
+    </text>
+    <identifier>
+        <system value="urn:oid:1.3.182.4.4"/>
+        <value value="1998041799999"/>
+    </identifier>
+    <identifier>
+        <system value="urn:ietf:rfc:3986"/>
+        <value value="urn:uuid:647515ed-0d5e-4c99-b23d-073fbc593f76"/>
+    </identifier>
+    <name>
+        <family value="Lux-Brennard"/>
+        <given value="Marie"/>
+    </name>
+    <birthDate value="2023-01-01"/>
+</Patient>

commons/src/test/resources/security/xxe/doctype-system-url.xml

@@ -0,0 +1,25 @@
+<!DOCTYPE foo [<!ENTITY getrequest SYSTEM "http://non-existing-host:3000"> ]>
+<Patient xmlns="http://hl7.org/fhir">
+    <id value="66033"/>
+    <meta>
+        <profile value="http://example.gematik.de/fhir/StructureDefinition/patient-with-birthdate|1.0.0" />
+        <tag value="asd">&getrequest;</tag>
+    </meta>
+    <text>
+        <status value="generated"/>
+        <div xmlns="http://www.w3.org/1999/xhtml">hello</div>
+    </text>
+    <identifier>
+        <system value="urn:oid:1.3.182.4.4"/>
+        <value value="1998041799999"/>
+    </identifier>
+    <identifier>
+        <system value="urn:ietf:rfc:3986"/>
+        <value value="urn:uuid:647515ed-0d5e-4c99-b23d-073fbc593f76"/>
+    </identifier>
+    <name>
+        <family value="Lux-Brennard"/>
+        <given value="Marie"/>
+    </name>
+    <birthDate value="2023-01-01"/>
+</Patient>

commons/src/test/resources/security/xxe/dtd-element.xml

@@ -0,0 +1,25 @@
+<!DOCTYPE foo [<!ELEMENT hello (#PCDATA)> <!ENTITY getrequest SYSTEM "http://localhost:3000">]>
+<Patient xmlns="http://hl7.org/fhir">
+    <id value="66033"/>
+    <meta>
+        <profile value="http://example.gematik.de/fhir/StructureDefinition/patient-with-birthdate|1.0.0" />
+        <tag value="asd">blabla</tag>
+    </meta>
+    <text>
+        <status value="generated"/>
+        <div xmlns="http://www.w3.org/1999/xhtml">hello</div>
+    </text>
+    <identifier>
+        <system value="urn:oid:1.3.182.4.4"/>
+        <value value="1998041799999"/>
+    </identifier>
+    <identifier>
+        <system value="urn:ietf:rfc:3986"/>
+        <value value="urn:uuid:647515ed-0d5e-4c99-b23d-073fbc593f76"/>
+    </identifier>
+    <name>
+        <family value="Lux-Brennard"/>
+        <given value="Marie"/>
+    </name>
+    <birthDate value="2023-01-01"/>
+</Patient>

core/pom.xml

@@ -5,7 +5,7 @@
     <parent>
         <artifactId>referencevalidator</artifactId>
         <groupId>de.gematik.refv</groupId>
-        <version>2.5.0</version>
+        <version>2.5.1</version>
     </parent>
     <modelVersion>4.0.0</modelVersion>
 

owasp-suppressions.xml

@@ -2,26 +2,50 @@
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
     <suppress>
         <notes><![CDATA[
-      file name: jackson-databind-2.15.2.jar
-      not a security issue according to https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596193098
-      ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
-        <cve>CVE-2023-35116</cve>
+   file name: org.hl7.fhir.r4-6.0.1.jar
+   the vulnerability is mitigated in HAPI wrapper classes and in the implementation of ReferencedProfileLocator starting with version 2.5.1
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/ca\.uhn\.hapi\.fhir/org\.hl7\.fhir\.r4@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-45294</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: org.hl7.fhir.r5-6.0.1.jar
+   the vulnerability is mitigated in HAPI wrapper classes and in the implementation of ReferencedProfileLocator starting with version 2.5.1
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/ca\.uhn\.hapi\.fhir/org\.hl7\.fhir\.r5@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-45294</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: org.hl7.fhir.r4b-6.0.1.jar
+   the vulnerability is mitigated in HAPI wrapper classes and in the implementation of ReferencedProfileLocator starting with version 2.5.1
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/ca\.uhn\.hapi\.fhir/org\.hl7\.fhir\.r4b@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-45294</vulnerabilityName>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+   file name: org.hl7.fhir.dstu3-6.0.1.jar
+   the vulnerability is mitigated in HAPI wrapper classes and in the implementation of ReferencedProfileLocator starting with version 2.5.1
+   ]]></notes>
+        <packageUrl regex="true">^pkg:maven/ca\.uhn\.hapi\.fhir/org\.hl7\.fhir\.dstu3@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-45294</vulnerabilityName>
     </suppress>
     <suppress>
         <notes><![CDATA[
-   file name: commons-compress-1.25.0.jar
-   not a security issue as all used archives are embedded or come from trusted sources
+   file name: org.hl7.fhir.dstu3-6.0.1.jar
+   the vulnerability is mitigated in HAPI wrapper classes and in the implementation of ReferencedProfileLocator starting with version 2.5.1
    ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons\-compress@.*$</packageUrl>
-        <cve>CVE-2024-25710</cve>
+        <packageUrl regex="true">^pkg:maven/ca\.uhn\.hapi\.fhir/org\.hl7\.fhir\.utilities@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-45294</vulnerabilityName>
     </suppress>
     <suppress>
         <notes><![CDATA[
-   file name: commons-compress-1.25.0.jar
-   not a security issue as all used archives are embedded or come from trusted sources
+   file name: org.hl7.fhir.dstu3-6.0.1.jar
+   the vulnerability is mitigated in HAPI wrapper classes and in the implementation of ReferencedProfileLocator starting with version 2.5.1
    ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.apache\.commons/commons\-compress@.*$</packageUrl>
-        <cve>CVE-2024-26308</cve>
+        <packageUrl regex="true">^pkg:maven/ca\.uhn\.hapi\.fhir/org\.hl7\.fhir\.dstu2016may@.*$</packageUrl>
+        <vulnerabilityName>CVE-2024-45294</vulnerabilityName>
     </suppress>
 </suppressions>