Fix a potential XXE Vulnerability

Without this one con possible include files from the web or the local system like //etc/passwd in an XML file and read it in e.g. an import job or in the frontend or pdf in an svg via setting Feature Secure Processing https://docs.oracle.com/javase/8/docs/technotes/guides/security/jaxp/jaxp.html#feature-for-secure-processing as recommended in https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxb-unmarshaller - fixes: SIRI-1037
scireum · Dec 10, 2024 · 0fba6c5 · 0fba6c5
1 parent 06e9569
commit 0fba6c5
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/src/main/java/sirius/pasta/noodle/macros/XmlProcessingMacro.java b/src/main/java/sirius/pasta/noodle/macros/XmlProcessingMacro.java
@@ -18,6 +18,7 @@
 import sirius.web.resources.Resource;
 
 import javax.annotation.Nullable;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerFactory;
@@ -104,6 +105,7 @@ protected Document parseDocument(InputSource source) {
     protected Document parseDocument(InputSource source, @Nullable String expectedRootElement) {
         try {
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             Document document = factory.newDocumentBuilder().parse(source);
 
             if (Strings.isFilled(expectedRootElement) && !Strings.areEqual(expectedRootElement,

diff --git a/src/main/java/sirius/web/security/SAMLHelper.java b/src/main/java/sirius/web/security/SAMLHelper.java
@@ -27,6 +27,7 @@
 
 import javax.annotation.Nonnull;
 import javax.annotation.Nullable;
+import javax.xml.XMLConstants;
 import javax.xml.crypto.AlgorithmMethod;
 import javax.xml.crypto.KeySelector;
 import javax.xml.crypto.KeySelectorException;
@@ -256,6 +257,7 @@ private SAMLResponse parseAssertion(Element assertion, String fingerprint) {
     private Document getResponseDocument(InputStream inputStream)
             throws SAXException, IOException, ParserConfigurationException {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
         factory.setNamespaceAware(true);
         return factory.newDocumentBuilder().parse(inputStream);
     }

diff --git a/src/main/java/sirius/web/templates/pdf/ImageReplacedElementFactory.java b/src/main/java/sirius/web/templates/pdf/ImageReplacedElementFactory.java
@@ -22,6 +22,7 @@
 import sirius.web.templates.pdf.handlers.PdfReplaceHandler;
 
 import javax.annotation.Nonnull;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -84,6 +85,7 @@ private Optional<ReplacedElement> tryCreateReplacedSvgElement(@Nonnull Element e
 
         try {
             DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+            documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
             DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
 
             Document svgDocument = documentBuilder.newDocument();