Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-19125

CWE-611 issues in deployment descriptor parsing

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Minor
    • None
    • None
    • None
    • ---
    • ---

    Description

      Various deployment unit processors can use some hardening to ensure they handle https://cwe.mitre.org/data/definitions/611.html properly when parsing deployment descriptors.

      Per https://docs.oracle.com/en/java/javase/21/security/java-api-xml-processing-jaxp-security-guide.html#GUID-5C5B2843-3964-4DE3-847A-5C4863A75F17:

      Even in a trusted environment with trusted sources, it's recommended that you use both external access restrictions and resolvers to minimize dependencies on external sources.

      The 'external access restrictions' bit is handled by not calling XMLInputFactory.createXMLStreamReader without first calling XMLInput.setProperty(IS_SUPPORTING_EXTERNAL_ENTITIES, false).

      The 'resolvers' bit is handled by setting an XMLResolver that always returns "" from the resolveEntity method.

      In various DUPs we are using a mix of these approaches, or none.

      This is minor because a deployment unit descriptor is trusted content.

      Attachments

        Activity

          People

            bstansbe@redhat.com Brian Stansberry
            bstansbe@redhat.com Brian Stansberry
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: