Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SIRI-1037 Fix potential XXE vulnerability #543

Merged
merged 3 commits into from
Dec 11, 2024
Merged

SIRI-1037 Fix potential XXE vulnerability #543

merged 3 commits into from
Dec 11, 2024

Conversation

ymo-sci
Copy link
Contributor

@ymo-sci ymo-sci commented Dec 9, 2024
edited by mkeckmkeck
Loading

Description

Fix a potential XXE vulnerability via setting Feature Secure Processing
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaxp/jaxp.html#feature-for-secure-processing
Nicer and more current documentation:
https://docs.oracle.com/en/java/javase/23/security/java-api-xml-processing-jaxp-security-guide.html
In a nutshell, this prevents access to external entities and set limit while processing xml. As this feature is rarely required and the limits are reasonable high, we expect no problems. But testing the xml processing in products is recommended, after this change got included.

Additional Notes

Checklist

  • Code change has been tested and works locally
  • Code was formatted via IntelliJ and follows SonarLint & best practices
  • Patch Tasks: Is local execution of Patch Tasks necessary? If so, please also mark the PR with the tag.

@ymo-sci ymo-sci added the 🐛 Bugfix Contains only a small fix for an existing bug label Dec 9, 2024
@ymo-sci ymo-sci changed the title Feature/ymo/siri 1037 xxe SIRI-1037 Fix potential XXE vulnerability Dec 9, 2024
@ymo-sci ymo-sci mentioned this pull request Dec 9, 2024
Merged
3 tasks
sabieber
sabieber requested changes Dec 9, 2024
View reviewed changes
Copy link
Member

@sabieber sabieber left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would welcome more (or rather any) info in the commit messages.
Commit messages should be the first source of information when debugging an issue or trying to understand a change.

@ymo-sci
fix potential XXE vulnerability
ef27751 
without disallowing external entities one is able to include webcontent or files directly from the system e.g. file:///etc/hosts or some like this into the uploaded content via declaring an external entity. Details can be found on https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#java and on https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaxp/jaxp.html#feature-for-secure-processing

- fixes: SIRI-1037
@ymo-sci
drive-by: fix some typos
95199e8
@ymo-sci
add test and additional disallow-doctype-decl to disallow it on parsi…
4116001 
…ng via disallow declaration of doctypes and also disallowinf xincludes as recommended in https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller

- fixes: SIRI-1037
@ymo-sci ymo-sci force-pushed the feature/ymo/SIRI-1037-xxe branch from 53b8d66 to 4116001 Compare December 10, 2024 10:36
@ymo-sci ymo-sci mentioned this pull request Dec 10, 2024
Closed
@ymo-sci ymo-sci merged commit cef8f69 into develop Dec 11, 2024
3 checks passed
@ymo-sci ymo-sci deleted the feature/ymo/SIRI-1037-xxe branch December 11, 2024 08:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@scireum-mbo scireum-mbo scireum-mbo approved these changes

@mko-sci mko-sci mko-sci approved these changes

@mkeckmkeck mkeckmkeck mkeckmkeck approved these changes

@idlira idlira idlira approved these changes

@fhaScireum fhaScireum fhaScireum approved these changes

@jakobvogel jakobvogel jakobvogel approved these changes

@jmuscireum jmuscireum jmuscireum approved these changes

@sabieber sabieber sabieber approved these changes

Assignees
No one assigned
Labels
🐛 Bugfix Contains only a small fix for an existing bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
9 participants
@ymo-sci @sabieber @jmuscireum @jakobvogel @fhaScireum @idlira @mkeckmkeck @mko-sci @scireum-mbo