Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-637

RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 2.2.2.GA
    • Fix Version/s: 2.3.1
    • Component/s: jaxrs
    • Labels:
      None
    • Environment:

      ALL

    • Estimated Difficulty:
      Medium

      Description

      We have RestEasy deployed end points in production. We are able to call the RestEasy end point by submitting the following ( as an example)

      <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
      <search><user>&xxe;</user></search>

      If we submit the above to a web service built on RestEasy, we can see the contents of /etc/passwd.

      This presents a well-documented security issue - XXE (XML eXternal Entity Attack)

      If we use SAX directly, we can instruct a parser not to read the external DTD subset by setting the http://xml.org/sax/features/external-general-entities and http://xml.org/sax/features/external-parameter-entities features to false.

      For example:
      parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
      parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

      We can also accomplish the same using a custom entity resolver when using the parsers directly.

      How do we accomplish the same using RestEasy?

      From the documentation, it seems that we would have to write a custom MessageBodyReader, where we actually check for any of these doctype declarations before allowing the call to the proceed to the actual end point.

      Jersey also had a similar problem, which seems to have been addressed
      http://java.net/jira/browse/JERSEY-323

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  ron_sigal Ron Sigal
                  Reporter:
                  adkathuria anuj kathuria
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: