Skip to content

XXE soften for XMLStructuredInput #547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Jan 28, 2025
Merged

XXE soften for XMLStructuredInput #547

merged 5 commits into from
Jan 28, 2025

Conversation

mkeckmkeck
Copy link
Contributor

@mkeckmkeck mkeckmkeck commented Jan 27, 2025
edited
Loading

Description

Adapts securits setting for XML parsing. See commit messages for details.
Adds new unit tests as well.

Additional Notes

  • This PR fixes or works on following ticket(s): SIRI-1037

Checklist

  • Code change has been tested and works locally
  • Code was formatted via IntelliJ and follows SonarLint & best practices
  • Patch Tasks: Is local execution of Patch Tasks necessary? If so, please also mark the PR with the tag.

@mkeckmkeck
Creates a failing testcase
1267276 
- currently xml with an external dtd is not allowed

Fixes: SIRI-1037
@mkeckmkeck
Unifies document builder factory creation and softens/adapts security…
49eac21 
… setting

- adds setting to ignore external dtd completely: see https://xerces.apache.org/xerces2-j/features.html#nonvalidating.load-external-dtd
- so they get ignored, but the xml parsing won't fail on them
- wrap this inside a little helper method to create the DocumentBuilderFactories

Fixes: SIRI-1037
@mkeckmkeck
Adapt security relevant settings once again
33e5f05 
- settings as per: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
- this also applies the settings "http://xml.org/sax..." already used at SAX parser to DocumentBuilder factory
- and prevents entity reference expansion as documentation suggests

Fixes: SIRI-1037
@mkeckmkeck
Adds another tests proving that a basic xxe attack using XMLStructure…
43900bd 
…dInput is prevented

Fixes: SIRI-1037
@mkeckmkeck mkeckmkeck added the 🧬 Enhancement Contains new features label Jan 27, 2025
@mkeckmkeck
Properly setup testcase fail condition
149d31b 
- applying result.setFeature("http://xml.org/sax/features/external-parameter-entities", false) AND
  result.setExpandEntityReferences(false) will result in "no-dangerous-execution" AND no exception

Fixes: SIRI-1037
@mkeckmkeck mkeckmkeck merged commit 4ddf0a1 into develop Jan 28, 2025
3 checks passed
@mkeckmkeck mkeckmkeck deleted the feature/SIRI-1037_xxe_soften_structuredinput branch January 28, 2025 05:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fhaScireum fhaScireum fhaScireum approved these changes

@idlira idlira idlira approved these changes

@scireum-mbo scireum-mbo scireum-mbo approved these changes

Assignees
No one assigned
Labels
🧬 Enhancement Contains new features
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mkeckmkeck @fhaScireum @idlira @scireum-mbo