@Path("/")
public class MovieResource
...
@POST
@Path("user/{id}/favoriteMovies")
@Consumes({"application/xml", "application/json"})
public FavoriteMovie addFavoriteMovie(@PathParam("id") Long id,
FavoriteMovie movie) {
return movie;
}
}
@XmlRootElement
public class FavoriteMovie {
private String _title;
public String getTitle() {
return _title;
}
public void setTitle(String title) {
_title = title;
}
}
If I POST the following XML:
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<favoriteMovie><title>&xxe;</title></favoriteMovie>
I get back:
<favoriteMovie>
<title>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
...
</title>
</favoriteMovie>
Adding a
System.setProperty("entityExpansionLimit", "0");
fixes the problem, and causes this exception instead:
org.xml.sax.SAXParseException: The parser has encountered more than "0"
entity expansions in this document; this is the limit imposed by the
application.
On Mon, Jul 6, 2009 at 1:01 PM, Guba, Nicolai <nguba_at_bioware.com> wrote:
> I could not reproduce it. The JAXB serializer (correctly) identified
> this as an invalid request.
>
>
>
> Maybe it works with resources that are processing form parameters? It may
> be helpful to see the code snipped of the resource you are accessing.
>
>
>
>
>
> --
>
> =NPG=
>
> *From:* ksuwildcat_at_gmail.com [mailto:ksuwildcat_at_gmail.com] *On Behalf Of *Tim
> McCune
> *Sent:* Monday, July 06, 2009 1:04 PM
> *To:* users_at_jersey.dev.java.net
> *Subject:* [Jersey] Jersey vulnerable to XXE attack?
>
>
>
> http://www.securiteam.com/securitynews/6D0100A5PU.html
>
> Just tried this attack against a simple web service built on top of Jersey,
> and it seems to have succeeded.
>
> <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
> <foo><bar>&xxe;</bar></foo>
>
> If I POST that to a web service built on Jersey, and have my resource just
> return the parameter that was passed into it, I can see the contents of
> /etc/passwd.
>
> Can anyone confirm that this vulnerability exists, and if so, advise on the
> best way to protect against it?
>