Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-659

RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks, Part III: Fastinfoset

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 2.3.2.Final
    • Fix Version/s: 2.3.3.Final
    • Component/s: jaxrs
    • Labels:
      None
    • Environment:
      ALL
    • Estimated Difficulty:
      Medium
    • Similar Issues:
      Show 9 results 

      Description

      For description, see RESTEASY-637 and RESTEASY-647. I fixed the problem for org.w3c.dom.Document inputs and JAXB XML inputs, but not for fastinfoset representation.

        Gliffy Diagrams

          Issue Links

            Activity

            Hide
            bill.burke Bill Burke added a comment -

            should we defer this to 2.3.3 or 3.0? WE need to release on mon/tues

            Show
            bill.burke Bill Burke added a comment - should we defer this to 2.3.3 or 3.0? WE need to release on mon/tues
            Hide
            ron_sigal Ron Sigal added a comment -

            Pushing to 2.3.3.

            Show
            ron_sigal Ron Sigal added a comment - Pushing to 2.3.3.
            Hide
            ron_sigal Ron Sigal added a comment -

            I am attaching current FastInfoset provider jars. They were compiled with jdk1.6.0_30.

            Show
            ron_sigal Ron Sigal added a comment - I am attaching current FastInfoset provider jars. They were compiled with jdk1.6.0_30.
            Hide
            ron_sigal Ron Sigal added a comment -

            Just updated the jars.

            Show
            ron_sigal Ron Sigal added a comment - Just updated the jars.
            Hide
            ron_sigal Ron Sigal added a comment -

            Updated the jars again.

            Show
            ron_sigal Ron Sigal added a comment - Updated the jars again.
            Hide
            ron_sigal Ron Sigal added a comment -

            This turned out to be an interesting issue. The FastInfoset format, defined in http://www.itu.int/ITU-T/asn1/xml/finf.htm, is based on the XML information set concept described in http://www.w3.org/TR/xml-infoset/. The XMLinformation set is an abstract representation of a parsed XML document, and, as such, does not include a representation of external entities in the DTD section. Instead, an external entity is either expanded, in which case it does not appear after parsing, or it is not expanded. In the latter case, the information set has a representation of an "unexpanded entity reference", which includes PUBLIC and SYSTEM references. It follows that the FastInfoset format also not have external references in the DTD section, just unexpanded entity references. It seems that these unexpanded entity references don't fit well with existing XML parsers, and every treatment of FastInfoset documents that I could find seems to just ignore them. It follows that they are not subject to XXE attacks. So for this issue, I added unit tests that verify that unexpanded entity references remain unexpanded, in case future treatments no longer ignore them.

            It also turns out that the changes in the JAXB provider to guard agains XXE attacks interfered with the FastInfoset provider classes, so they override the suppressExpandEntityExpansion() method so that the unmarshaller wrapping in the JAXB provider is avoided.

            Show
            ron_sigal Ron Sigal added a comment - This turned out to be an interesting issue. The FastInfoset format, defined in http://www.itu.int/ITU-T/asn1/xml/finf.htm , is based on the XML information set concept described in http://www.w3.org/TR/xml-infoset/ . The XMLinformation set is an abstract representation of a parsed XML document, and, as such, does not include a representation of external entities in the DTD section. Instead, an external entity is either expanded, in which case it does not appear after parsing, or it is not expanded. In the latter case, the information set has a representation of an "unexpanded entity reference", which includes PUBLIC and SYSTEM references. It follows that the FastInfoset format also not have external references in the DTD section, just unexpanded entity references. It seems that these unexpanded entity references don't fit well with existing XML parsers, and every treatment of FastInfoset documents that I could find seems to just ignore them. It follows that they are not subject to XXE attacks. So for this issue, I added unit tests that verify that unexpanded entity references remain unexpanded, in case future treatments no longer ignore them. It also turns out that the changes in the JAXB provider to guard agains XXE attacks interfered with the FastInfoset provider classes, so they override the suppressExpandEntityExpansion() method so that the unmarshaller wrapping in the JAXB provider is avoided.
            Hide
            ron_sigal Ron Sigal added a comment -

            Resetting the fix version to 2.3.3.

            Show
            ron_sigal Ron Sigal added a comment - Resetting the fix version to 2.3.3.

              People

              • Assignee:
                ron_sigal Ron Sigal
                Reporter:
                adkathuria anuj kathuria
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Development