play-ws
play-ws copied to clipboard
XMLBodyReadables has "XML External Entity Injection" vulnerability
Play WS Version (2.5.x / etc)
since v2.1.0-M3 to v2.1.2
API (Scala / Java / Neither / Both)
Scala
Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)
unrelated
JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)
unrelated
Library Dependencies
unrelated
Expected Behavior
Actual Behavior
Reproducible Test Case
--- a/integration-tests/src/test/scala/play/api/libs/ws/ahc/XMLRequestSpec.scala
+++ b/integration-tests/src/test/scala/play/api/libs/ws/ahc/XMLRequestSpec.scala
@@ -65,6 +65,13 @@ class XMLRequestSpec extends Specification with Mockito with AfterAll with MustM
ByteString.fromArray(req.getByteData).utf8String must be_==("<hello><test/></hello>")
}
+ "XXE injection vulnerability" in {
+ val test = """<!DOCTYPE name [<!ENTITY hosts SYSTEM "file:///etc/hosts"> ]><foo>&hosts;</foo>"""
+ val value: Elem = XMLBodyReadables.readableAsXml.transform(new StubResponse(test.getBytes(StandardCharsets.UTF_8)))
+ println(value) // print my /etc/hosts 😇
+ true
+ }
+
sbt "integration-tests/testOnly play.api.libs.ws.ahc.XMLRequestSpec"
note
- 6 years ago https://github.com/playframework/playframework/commit/dc94b943ee5dc
- regression 😢 ? https://github.com/playframework/play-ws/commit/46d7a1f9ec32b81db77b494b7a57c9e9b610fa5d https://github.com/playframework/play-ws/pull/329