users@jersey.java.net

Re: [Jersey] Jersey vulnerable to XXE attack?

From: Tim McCune <tim_at_mccune.name>
Date: Thu, 9 Jul 2009 08:56:07 -0700

Catching up on this thread.

The unit test example that I provided shows that it works in Grizzly. We
originally encountered the problem in Tomcat. So have seen it in both.

As Martin pointed out, you could potentially enable a very good security
model at the JVM level that might help. You could also rely on file system
permissions to help out. Both of these should be treated as additional
safeguards though, and not a solution to this vulnerability. They're there
to protect against the next, undiscovered, vulnerability.

Yes, the "secure processing" feature doesn't seem to have anything to do
with entity expansion.

In our framework that we've built on top of Jersey, we're adding a SAX
filter to the parsing chain to do our own field-level input validation
(primarily to protect against XSS attacks, for instance <foo>&lt;script&gt;
do_something_evil(); &lt;/script&gt;</foo>). As an aside, it would be
really cool if Jersey provided a way to do that out of the box. Anyway, in
order to accomplish this, we're providing our own Unmarshaller, and in turn,
our own SAX parser. So the easy fix for us was to call this on the
SAXParserFactory:

parserFactory.setFeature("
http://xml.org/sax/features/external-general-entities", Boolean.FALSE);

Maybe Jersey just needs to always do the same when parsing XML instead of
simply passing the raw InputStream in.

On Thu, Jul 9, 2009 at 5:57 AM, Paul Sandoz <Paul.Sandoz_at_sun.com> wrote:

>
> On Jul 9, 2009, at 2:22 PM, Martin Probst wrote:
>
> I think one should generally set
>>>
>>> http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
>>> to true in the DocumentBuilderFactory when processing XML from the
>>> outside.
>>>
>>
>> Actually I'm not even sure if that prevents entity expansion
>> generally. I think one also needs
>> "factory.setExpandEntityReferences(false);".
>>
>>
> Currently the way we are using JAXB is that we pass in InputStream to the
> Unmarshaller.unmarshal method. AFAIK it is not possible to pass such values
> to JAXB (and JAXB uses SAX internally not DOM).
>
> Paul.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
>
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.