Description
Arjen Poutsma opened SPR-10806 and commented
The issue is concerned with XML entity resolution. The idea is to use an XML entity to resolve to an local file on the host system (for instance, /etc/passwd). See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details. To resolve this issue, simply disable external entity resolution when dealing with XML from external sources. The way to do that depends on the XML API that you use.
DOM
When using DOM, simply set the expandEntityReferences property on the DocumentBuilderFactory to false. For instance:
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setExpandEntityReferences(false);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.parse(externalSource);SAX
When using SAX, set the "http://xml.org/sax/features/external-general-entities" feature on the XMLReader to false. For instance:
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
xmlReader.parse(new InputSource(externalSource));StAX
When using StAX, set the IS_REPLACING_ENTITY_REFERENCES property on the XMLInputFactory to false. For instance:
XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
XMLStreamReader reader = factory.createXMLStreamReader(externalSource);Spring OXM
When using any of the Spring OXM Marshallers for unmarshalling from an external source, please use the code above to disable entity resolution before passing on a Source to the marshaller. For instance, when using DOM:
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setExpandEntityReferences(false);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.parse(externalSource);
DOMSource source = new DOMSource(document);
Jaxb2Marshaller jaxb2Marshaller = ...
Object unmarshalled = jaxb2Marshaller.unmarshal(source);Affects: 3.2.3
Attachments:
- Jaxb2CollectionHttpMessageConverter.patch (905 bytes)
Issue Links:
- Jaxb2RootElementHttpMessageConverter is susceptible to XXE vulnerability [SPR-11376] #16003 Jaxb2RootElementHttpMessageConverter is susceptible to XXE vulnerability
- Disable the processing of external entities in SourceHttpMessageConverter by default [SPR-11078] #15704 Disable the processing of external entities in SourceHttpMessageConverter by default