For description, see RESTEASY-637. I fixed the problem for org.w3c.dom.Document inputs, but not for JAXB XML inputs.
RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks
RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks, Part II
RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks, Part III: Fastinfoset
To follow-up, I am working with Anuj and we have a fix that is being tested to address the problem with entities accessing the local file system when using a JAXB provider.
The proposed change to the org.jboss.resteasy.plugins.providers.jaxb.JAXBXmlTypeProvider:readFrom method is as follows….
JAXBContext jaxb = findJAXBContext(type, annotations, mediaType, true);
Unmarshaller unmarshaller = jaxb.createUnmarshaller();
// fix for embedded entity expansion
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder db = dbf.newDocumentBuilder();
Document doc = db.parse(entityStream);
Object obj = unmarshaller.unmarshal(doc);
We also tried to use the following Xerces attribute, but a NullPointerException was being thrown by the document parser and the problem seemed to be addressed with the ExpandEntityReferences set to false.
We have run initial tests and the results are promising…
Thanks – Mark
Update. I haven't made much progress with fastinfoset, so I'm going to break it out into a separate issue and close this issue. I just have to update the users guide.
I believe that the fix is working for the various JAXB unmarshallers, and I've updates the users guide. Also, I've split off the fastinfoset version to RESTEASY-659, so I am closing this issue.
Ron, we tested this fix for JAXB. It works fine. Thank you for the fix.
When are you expecting to release 2.3.2, so that we can start using it?
Thanks for the good news. I believe there will be a release in the next couple of days.
I am attaching current JAXB provider jars. They were compiled with jdk1.6.0_30.