Spring Framework
  1. Spring Framework
  2. SPR-10806

Fix potential security risk when using Spring OXM

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.2.3
    • Fix Version/s: 3.2.4, 4.0 M3
    • Component/s: OXM
    • Labels:
    • Last commented by a User:
      false

      Description

      The issue is concerned with XML entity resolution. The idea is to use an XML entity to resolve to an local file on the host system (for instance, /etc/passwd). See https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing for more details. To resolve this issue, simply disable external entity resolution when dealing with XML from external sources. The way to do that depends on the XML API that you use.

      DOM
      When using DOM, simply set the expandEntityReferences property on the DocumentBuilderFactory to false. For instance:

      DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
      documentBuilderFactory.setExpandEntityReferences(false);
      DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
      Document document = documentBuilder.parse(externalSource);
      

      SAX
      When using SAX, set the "http://xml.org/sax/features/external-general-entities" feature on the XMLReader to false. For instance:

      XMLReader xmlReader = XMLReaderFactory.createXMLReader();
      xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
      xmlReader.parse(new InputSource(externalSource));
      

      StAX
      When using StAX, set the IS_REPLACING_ENTITY_REFERENCES property on the XMLInputFactory to false. For instance:

      XMLInputFactory factory = XMLInputFactory.newInstance();
      factory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, false);
      XMLStreamReader reader = factory.createXMLStreamReader(externalSource);
      

      Spring OXM

      When using any of the Spring OXM Marshallers for unmarshalling from an external source, please use the code above to disable entity resolution before passing on a Source to the marshaller. For instance, when using DOM:

      DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
      documentBuilderFactory.setExpandEntityReferences(false);
      DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
      Document document = documentBuilder.parse(externalSource);
      DOMSource source = new DOMSource(document);
      Jaxb2Marshaller jaxb2Marshaller = ...
      Object unmarshalled = jaxb2Marshaller.unmarshal(source);
      

        Issue Links

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              Phil Webb
              Reporter:
              Arjen Poutsma
              Last updater:
              Juergen Hoeller
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                37 weeks, 2 days ago