Skip to content

Introduce hardened XML utilities in core #133644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 11 commits into from
Aug 29, 2025
Merged

Introduce hardened XML utilities in core #133644

merged 11 commits into from
Aug 29, 2025

Conversation

@richard-dennehy
Copy link
Contributor

@richard-dennehy richard-dennehy commented Aug 27, 2025
edited
Loading

Create/move a set of utility functions that wrap the various java XML classes, providing secure default settings (e.g. prevent XXE), and enforce that these are used.

Provides secured versions of:

  • DocumentBuilderFactory
  • DocumentBuilder
  • SAXParserFactory
  • SchemaFactory
  • Validator
  • Transformer

I've tested integrating with #130337 in 665ce15 and the tests pass

@richard-dennehy richard-dennehy added >refactoring :Security/Security Security issues without another label Team:Security Meta label for security team labels Aug 27, 2025
@richard-dennehy richard-dennehy changed the title move hardened XML factories to core Introduce hardened XML utilities in core Aug 28, 2025
richard-dennehy
richard-dennehy commented Aug 28, 2025
View reviewed changes
build-tools-internal/src/main/resources/forbidden/jdk-signatures.txt
Comment on lines +109 to +111
javax.xml.parsers.DocumentBuilderFactory#newDefaultNSInstance()
javax.xml.parsers.DocumentBuilderFactory#newNSInstance()
javax.xml.parsers.DocumentBuilderFactory#newNSInstance(java.lang.String, java.lang.ClassLoader)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm assuming we want to block all of these as well

libs/core/src/main/java/org/elasticsearch/core/XmlUtils.java
* Returns a DocumentBuilderFactory pre-configured to be secure
*/
@SuppressForbidden(reason = "This is the only allowed way to construct a DocumentBuilder")
public static DocumentBuilderFactory getHardenedBuilderFactory() throws ParserConfigurationException {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to provide a DocumentBuilder that doesn't validate schema as some existing usages of this API don't perform schema validation

libs/core/src/main/java/org/elasticsearch/core/XmlUtils.java
Comment on lines +94 to +96
tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I understand, we don't actually need to configure ACCESS_EXTERNAL_DTD or ACCESS_EXTERNAL_STYLESHEET when FEATURE_SECURE_PROCESSING is true; as per JAXP Properties for External Access Restrictions:

Explicitly turning on Feature for Secure Processing (FSP) through the API, for example, factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true), disables all external connections.

Copy link
Contributor

@slobodanadamovic slobodanadamovic Aug 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are right. This is probably for historical reasons and old JDKs. If no harm, I think we should keep it.

libs/core/src/main/java/org/elasticsearch/core/XmlUtils.java
ParserConfigurationException {
var saxParserFactory = SAXParserFactory.newInstance();

saxParserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I understand, this is the only security feature we actually need to set

@slobodanadamovic slobodanadamovic self-requested a review August 28, 2025 10:49
slobodanadamovic
slobodanadamovic approved these changes Aug 29, 2025
View reviewed changes
Copy link
Contributor

@slobodanadamovic slobodanadamovic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@richard-dennehy richard-dennehy marked this pull request as ready for review August 29, 2025 08:34
@richard-dennehy richard-dennehy requested review from a team as code owners August 29, 2025 08:34
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine added the serverless-linked Added by automation, don't add manually label Aug 29, 2025
@richard-dennehy richard-dennehy merged commit bbea507 into elastic:main Aug 29, 2025
40 checks passed
@PeteGillinElastic PeteGillinElastic mentioned this pull request Aug 29, 2025
Open
JeremyDahlgren pushed a commit to JeremyDahlgren/elasticsearch that referenced this pull request Aug 29, 2025
@richard-dennehy @JeremyDahlgren
Introduce hardened XML utilities in core (elastic#133644)
a00c6b7 
Co-authored-by: elasticsearchmachine <infra-root+elasticsearchmachine@elastic.co>
@joegallo joegallo mentioned this pull request Sep 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@slobodanadamovic slobodanadamovic slobodanadamovic approved these changes

@PeteGillinElastic PeteGillinElastic Awaiting requested review from PeteGillinElastic

Assignees

No one assigned

Labels

>refactoring :Security/Security Security issues without another label serverless-linked Added by automation, don't add manually Team:Security Meta label for security team v9.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@richard-dennehy @elasticsearchmachine @slobodanadamovic