AbstractMarshaller should avoid SAXSource workaround when processExternalEntities=true [SPR-11737]

[spring-projects-issues]

Muminur Choudhury opened SPR-11737 and commented

We are currently using spring 4.0.1.

Updated to 4.0.2 (also tried latest 4.0.3) , got unexpected unmarshalling issues with XMLBeansMarshaller for any XSD that uses the "extension" element.

Work-round we had to apply :

XmlBeansMarshaller xmlBeansMarshaller = new XmlBeansMarshaller() {            
            // work-round for spring 4.0.2 
            protected Object unmarshalStreamSourceNoExternalEntitities(StreamSource streamSource) throws XmlMappingException, IOException {
                return unmarshalStreamSource(streamSource);
            }
        };

---

Affects: 3.2.8, 4.0.2

Issue Links:

• Jaxb2RootElementHttpMessageConverter is susceptible to XXE vulnerability [SPR-11376] #16003 Jaxb2RootElementHttpMessageConverter is susceptible to XXE vulnerability

Backported to: 3.2.9

[spring-projects-issues]

Juergen Hoeller commented

The idea behind the XXE vulnerability fix in #16003 was that the processing of external entities should be disabled by default for security reasons, with a processExternalEntities=true flag a.k.a. setProcessExternalEntities(true) call enabling it. Please give that flag a try; it should make external entities work again.

That said, with processExternalEntities=true, we should actually be able to use the regular unmarshalStreamSource code path, bypassing the configurable adapting to SAXSource parsing. We'll revise that for 4.0.4.

As a side note, we also need to fix the name of that lately introduced "unmarshalStreamSourceNoExternalEntities" method, or rather get rid of it completely.

Juergen

[spring-projects-issues]

Juergen Hoeller commented

Assuming that the processExternalEntities flag does make XmlBeansMarshaller work again for your scenario, there's still the code path that you suggest in your workaround: AbstractMarshaller should avoid its SAXSource parsing workaround if processExternalEntities=true and rather use the regular unmarshalStreamSource code path.

From that perspective, I'll turn this issue into a corresponding improvement. Let me know whether the processExternalEntities flag doesn't work for you, or whether there are any other concerns with respect to unmarshalStreamSource .

Juergen

[spring-projects-issues]

Muminur Choudhury commented

Originally tried to use setProcessExternalEntities(true) (both for 4.0.2 and 4.0.3) and unfortunately it didn't work, so had to use the workround.

Suggestion sounds good to me, processExternalEntities=true should use the regular unmarshalStreamSource code path.

[spring-projects-issues]

Juergen Hoeller commented

Muminur, does this work for you now, against 4.0.4 and/or the latest 3.2.9 snapshot?

Juergen

[spring-projects-issues]

Muminur Choudhury commented

I've tested against 4.0.4 a few days ago and I can confirm if set processExternalEntities=true, XMLBeansMarshaller is working for me.

[spring-projects-issues]

Juergen Hoeller commented

Thanks, that's good to hear!

Juergen