Uploaded image for project: 'Eagle (Retired)'
  1. Eagle (Retired)
  2. EAGLE-159

XML parser configured in org.apache.eagle.jobrunning.crawler.XmlHelper is not protected from Xml eXternal Entities injection attack

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • None
    • None

    Description

      Scanned and found by Fortify app:

      At org.apache.eagle.jobrunning.crawler.XmlHelper:41, XML parser configured at this position does not prevent nor limit external entities resolution, this can expose the parser to an XML External Entities attack.

      >> Explanation of the issue:
      1. XML External Entities attacks benefit from an XML feature to build documents dynamically at the time of processing. An XML entity allows inclusion of data dynamically from a given resource. External entities allow an XML document to include data from an external URI. Unless configured to do otherwise, external entities force the XML parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote system. This behavior exposes the application to XML External Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain unauthorized access to files on the local machine, scan remote machines, and perform denial of service of remote systems.
      2. The following XML document shows an example of an XXE attack.
      *****************************
      <?xml version="1.0" encoding="ISO-8859-1"?>
      <!DOCTYPE foo [
      <!ELEMENT foo ANY >
      <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
      *****************************
      This example could crash the server (on a UNIX system), if the XML parser attempts to substitute the entity with the contents of the /dev/random file.

      >> Solving recommendation:
      1. The XML unmarshaller should be configured securely so that it does not allow external entities as part of an incoming XML document.
      2. To avoid XXE injection do not use unmarshal methods that process an XML source directly as java.io.File, java.io.Reader or java.io.InputStream. Parse the document with a securely configured parser and use an unmarshal method that takes the secure parser as the XML source as shown in the following example:
      **********************
      // suppose we've got Unmarshaller instance referenced by unmarshaller
      DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
      dbf.setExpandEntityReferences(false);
      DocumentBuilder db = dbf.newDocumentBuilder();
      Document document = db.parse(<XML Source>);
      Model model = (Model) unmarshaller.unmarshal(document);
      **********************

      Attachments

        Activity

          People

            haoch Hao Chen
            wuziyang Michael Wu
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: