[TINKERPOP-2320] [SECURITY] XMLInputFactory initialization in GraphMLReader introduces - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: 3.4.4
Fix Version/s: 3.5.0, 3.4.5, 3.3.10
Component/s: io
Labels:
None

Description

I use TinkerPop in my company and now the security team had audits and reported that this part in GraphML reader may introduce XXE vulnerabilities.

private final XMLInputFactory inputFactory = XMLInputFactory.newInstance();

Some document recommends to add some properties to protect it as follows:

https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#xmlinputfactory-a-stax-parser

So I am wondering if I can either

1. just hard-code to set these properties in the constructor of GraphMLReader (it will break the existing behavior if users use it)

2. somehow make these properties configurable so that we can pass some flags and depending on the flags, we initialize GraphMLReader with those properties.

Any recommendation ? I am happy to add implementation to handle it but need some input which direction I'd take.

Thanks.
Norio

Attachments

Issue Links

links to

GitHub Pull Request #1230

GitHub Pull Request #1235

Activity

People

Assignee:: Stephen Mallette

Reporter:: Norio Akagi

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 27/Nov/19 22:19

Updated:: 02/Jan/20 17:45

Resolved:: 02/Jan/20 17:45