users@jersey.java.net

Re: [Jersey] Jersey vulnerable to XXE attack?

From: Paul Sandoz <Paul.Sandoz_at_Sun.COM>
Date: Fri, 10 Jul 2009 10:38:41 +0200

On Jul 9, 2009, at 5:56 PM, Tim McCune wrote:

> Catching up on this thread.
>
> The unit test example that I provided shows that it works in
> Grizzly. We originally encountered the problem in Tomcat. So have
> seen it in both.
>
> As Martin pointed out, you could potentially enable a very good
> security model at the JVM level that might help. You could also
> rely on file system permissions to help out. Both of these should
> be treated as additional safeguards though, and not a solution to
> this vulnerability. They're there to protect against the next,
> undiscovered, vulnerability.
>
> Yes, the "secure processing" feature doesn't seem to have anything
> to do with entity expansion.
>
> In our framework that we've built on top of Jersey, we're adding a
> SAX filter to the parsing chain to do our own field-level input
> validation (primarily to protect against XSS attacks, for instance
> <foo>&lt;script&gt; do_something_evil(); &lt;/script&gt;</foo>). As
> an aside, it would be really cool if Jersey provided a way to do
> that out of the box.

Could you log a feature request?


> Anyway, in order to accomplish this, we're providing our own
> Unmarshaller, and in turn, our own SAX parser. So the easy fix for
> us was to call this on the SAXParserFactory:
>
> parserFactory.setFeature("http://xml.org/sax/features/external-general-entities
> ", Boolean.FALSE);
>
> Maybe Jersey just needs to always do the same when parsing XML
> instead of simply passing the raw InputStream in.

Yes, i will need to change the JAXB marshalling to use the SAX parser
appropriately configured, and also appropriately configure the StAX
parser that is used for lists. Incidentally this has another advantage
and is likely to improve performance:

   http://david-buccola.spaces.live.com/blog/cns!9BFFF66C9212158C!500.entry

This important enough that i would like to delay the release of 1.1.1-
ea which was due today so that i can investigate and attempt to fix it
and release on Monday.

Paul.

>
> On Thu, Jul 9, 2009 at 5:57 AM, Paul Sandoz <Paul.Sandoz_at_sun.com>
> wrote:
>
> On Jul 9, 2009, at 2:22 PM, Martin Probst wrote:
>
> I think one should generally set
> http://java.sun.com/j2se/1.5.0/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
> to true in the DocumentBuilderFactory when processing XML from the
> outside.
>
> Actually I'm not even sure if that prevents entity expansion
> generally. I think one also needs
> "factory.setExpandEntityReferences(false);".
>
>
> Currently the way we are using JAXB is that we pass in InputStream
> to the Unmarshaller.unmarshal method. AFAIK it is not possible to
> pass such values to JAXB (and JAXB uses SAX internally not DOM).
>
> Paul.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_jersey.dev.java.net
> For additional commands, e-mail: users-help_at_jersey.dev.java.net
>
>