jersey icon indicating copy to clipboard operation
jersey copied to clipboard
verified publisher icon javaee

SAXParserFactory doesn't disable XML entity expansion

Open glassfishrobot opened this issue 9 years ago • 4 comments

The DocumentBuilderFactory and XmlInputFactory providers aren't vulnerable to Billion Laughs attacks (exponential entity expansion) by disabling entity expansion altogether.

But the SAXParserFactory provider is only disabling external entities, and it's possible to use the following input to generate a very high memory consumption (specially if the application using it allows parallel requests):

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE lolz [
  <!ENTITY lol "lollollollollollollol[...]">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
]>
<Quote> 
<fName>FIRST NAME &lol6;</fName> 
</Quote>

There is I actually a limit, but very high (like 100000 I think, and couldn't configure it with the entityExpansionLimit JDK property). If it doesn't work try removing the last level of recursion. Even if the depth is limited, there is no maximum for the expanded size so adding a few kilobytes to the entity text would make the attack successful.

Check disallow-doctype-decl feature in this example: https://gist.github.com/asudhakar02/45e2e6fd8bcdfb4bc3b2

Affected Versions

[2.24]

glassfishrobot avatar Oct 07 '16 15:10 glassfishrobot

Reported by alepulver

glassfishrobot avatar Oct 07 '16 15:10 glassfishrobot

jkharness87 said: The default appears to be 64,000 (as of JAXP 1.4):

https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html https://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security

Setting the following system property would greatly limit the impact of the issue you raise (setting to 0 makes it unlimited, which you wouldn't want):

jdk.xml.entityExpansionLimit=1

I agree, though. It would be helpful to disable entity expansion altogether for systems that don't require it. More generally speaking, it'd be nice to offer control over all the configuration options as recommended by OWASP:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

glassfishrobot avatar Feb 01 '17 13:02 glassfishrobot

This issue was imported from java.net JIRA JERSEY-3174

glassfishrobot avatar Apr 25 '17 05:04 glassfishrobot

When is this issue going to be fixed?

The system property jdk.xml.entityExpansionLimit=1 does that work?

kiranmn avatar Dec 05 '17 13:12 kiranmn