Skip to content

Fix potential security risk when using Spring OXM [SPR-10806] #15432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
spring-projects-issues opened this issue Aug 5, 2013 · 0 comments
Closed

Fix potential security risk when using Spring OXM [SPR-10806] #15432

spring-projects-issues opened this issue Aug 5, 2013 · 0 comments
Assignees
@philwebb
Labels
in: data Issues in data modules (jdbc, orm, oxm, tx) type: enhancement A general enhancement
Milestone
3.2.4

Comments

@spring-projects-issues
Copy link
Collaborator

spring-projects-issues commented Aug 5, 2013
edited
Loading

Arjen Poutsma opened SPR-10806 and commented

The issue is concerned with XML entity resolution. The idea is to use an XML entity to resolve to an local file on the host system (for instance, /etc/passwd). See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details. To resolve this issue, simply disable external entity resolution when dealing with XML from external sources. The way to do that depends on the XML API that you use.

DOM
When using DOM, simply set the expandEntityReferences property on the DocumentBuilderFactory to false. For instance:

DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setExpandEntityReferences(false);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.parse(externalSource);

SAX
When using SAX, set the "http://xml.org/sax/features/external-general-entities" feature on the XMLReader to false. For instance:

XMLReader xmlReader = XMLReaderFactory.createXMLReader();
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
xmlReader.parse(new InputSource(externalSource));

StAX
When using StAX, set the IS_REPLACING_ENTITY_REFERENCES property on the XMLInputFactory to false. For instance:

XMLInputFactory factory = XMLInputFactory.newInstance();
factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
XMLStreamReader reader = factory.createXMLStreamReader(externalSource);

Spring OXM

When using any of the Spring OXM Marshallers for unmarshalling from an external source, please use the code above to disable entity resolution before passing on a Source to the marshaller. For instance, when using DOM:

DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setExpandEntityReferences(false);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.parse(externalSource);
DOMSource source = new DOMSource(document);
Jaxb2Marshaller jaxb2Marshaller = ...
Object unmarshalled = jaxb2Marshaller.unmarshal(source);

Affects: 3.2.3

Attachments:

Issue Links:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@philwebb philwebb

Labels
in: data Issues in data modules (jdbc, orm, oxm, tx) type: enhancement A general enhancement
Projects
None yet
Milestone
3.2.4
Development

No branches or pull requests
2 participants
@philwebb @spring-projects-issues