Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Disable access to external entities in XML parsing #2217

Merged
merged 4 commits into from
Oct 24, 2022
Merged

fix: Disable access to external entities in XML parsing #2217

merged 4 commits into from
Oct 24, 2022

Conversation

gtoison
Copy link
Contributor

@gtoison gtoison commented Oct 15, 2022

Fixes security issues detected by sonarcloud such as: https://sonarcloud.io/project/issues?issues=AXDRMcroPCexr-BXKaE_&open=AXDRMcroPCexr-BXKaE_&id=com.github.spotbugs.spotbugs

XML standard allows the use of entities, declared in the DOCTYPE of the document, which can be internal or external.

When parsing the XML file, the content of the external entities is retrieved from an external storage such as the file system or network, which may lead, if no restrictions are put in place, to arbitrary file disclosures or server-side request forgery (SSRF) vulnerabilities.

Added methods in XMLUtil to setup XML objects with more secure options

KengoTODA
KengoTODA requested changes Oct 17, 2022
View reviewed changes
spotbugs/src/main/java/edu/umd/cs/findbugs/xml/XMLUtil.java Outdated
try {
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
} catch (Exception e) {
throw new IllegalArgumentException(e);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems that it's not argument issue (this buildSAXReader() method has no argument).
It is probably better to use another exception type?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have modified the exception type and added an error message, please let me know if you had something else in mind or if this requires further adjustments

spotbugs/src/main/java/edu/umd/cs/findbugs/xml/XMLUtil.java Outdated
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
} catch (Exception e) {
throw new IllegalArgumentException(e);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue here. 🙇‍♂️

KengoTODA
KengoTODA reviewed Oct 23, 2022
View reviewed changes
Copy link
Member

@KengoTODA KengoTODA left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, please add a changelog entry into the CHANGELOG.md file. We probably need a new ### Security under the ## Unreleased.

@gtoison gtoison force-pushed the disable-access-to-external-entities branch from 2ff2de8 to 4c3481c Compare October 23, 2022 09:46
@gtoison
Copy link
Contributor Author

gtoison commented Oct 23, 2022

Thanks for the review, I have rebased and added a security category in the changelog with a new entry for this PR

KengoTODA
KengoTODA approved these changes Oct 24, 2022
View reviewed changes
Copy link
Member

@KengoTODA KengoTODA left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thank you! 🤝

@KengoTODA KengoTODA merged commit 1add04b into spotbugs:master Oct 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@KengoTODA KengoTODA KengoTODA approved these changes

@ThrawnCA ThrawnCA ThrawnCA approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gtoison @KengoTODA @ThrawnCA