Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-637

RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 2.2.2.GA
    • Fix Version/s: 2.3.1
    • Component/s: jaxrs
    • Labels:
      None
    • Environment:

      ALL

    • Estimated Difficulty:
      Medium

      Description

      We have RestEasy deployed end points in production. We are able to call the RestEasy end point by submitting the following ( as an example)

      <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
      <search><user>&xxe;</user></search>

      If we submit the above to a web service built on RestEasy, we can see the contents of /etc/passwd.

      This presents a well-documented security issue - XXE (XML eXternal Entity Attack)

      If we use SAX directly, we can instruct a parser not to read the external DTD subset by setting the http://xml.org/sax/features/external-general-entities and http://xml.org/sax/features/external-parameter-entities features to false.

      For example:
      parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
      parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

      We can also accomplish the same using a custom entity resolver when using the parsers directly.

      How do we accomplish the same using RestEasy?

      From the documentation, it seems that we would have to write a custom MessageBodyReader, where we actually check for any of these doctype declarations before allowing the call to the proceed to the actual end point.

      Jersey also had a similar problem, which seems to have been addressed
      http://java.net/jira/browse/JERSEY-323

        Gliffy Diagrams

        1. testpasswd
          0.0 kB
          Ron Sigal
        2. TestXXE.java
          4 kB
          Ron Sigal

          Issue Links

            Activity

            Hide
            ron_sigal Ron Sigal added a comment -

            Hi Anuj,

            My fault. Thanks for the feedback. I created RESTEASY-647 for the JAXB version of the problem.

            -Ron

            Show
            ron_sigal Ron Sigal added a comment - Hi Anuj, My fault. Thanks for the feedback. I created RESTEASY-647 for the JAXB version of the problem. -Ron
            Hide
            dserodio Daniel Serodio added a comment -

            With this fix, is the context-param on web.xml mentioned by Ron Sigal needed?

            Show
            dserodio Daniel Serodio added a comment - With this fix, is the context-param on web.xml mentioned by Ron Sigal needed?
            Hide
            adkathuria anuj kathuria added a comment -

            The context param handled the case for 'Document' input for RestEasy endpoints. There is another open issue created by Ron - RESTEASY-647 - for the JAXB version of the problem. Ron can probably answer, if the intent is to reuse the context param.

            Show
            adkathuria anuj kathuria added a comment - The context param handled the case for 'Document' input for RestEasy endpoints. There is another open issue created by Ron - RESTEASY-647 - for the JAXB version of the problem. Ron can probably answer, if the intent is to reuse the context param.
            Hide
            ron_sigal Ron Sigal added a comment -

            re: "With this fix, is the context-param on web.xml mentioned by Ron Sigal needed?"

            As Anuj said, the parameter is needed for documents. I haven't looked into the JAXB case yet, but I'll try to keep the two cases consistent.

            Show
            ron_sigal Ron Sigal added a comment - re: "With this fix, is the context-param on web.xml mentioned by Ron Sigal needed?" As Anuj said, the parameter is needed for documents. I haven't looked into the JAXB case yet, but I'll try to keep the two cases consistent.
            Hide
            ron_sigal Ron Sigal added a comment -

            I am attaching current resteasy-jaxrs jars. They were compiled with jdk1.6.0_30

            Show
            ron_sigal Ron Sigal added a comment - I am attaching current resteasy-jaxrs jars. They were compiled with jdk1.6.0_30

              People

              • Assignee:
                ron_sigal Ron Sigal
                Reporter:
                adkathuria anuj kathuria
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development