search

3breadt / dd-plist

A java library providing support for ASCII, XML and binary property lists.
Other
258 stars 94 forks source link

XXE Vulnerablity. #51

Closed zahiritpro closed 5 years ago

zahiritpro commented 5 years ago

Able to launch Billion Laugh attack (https://en.wikipedia.org/wiki/Billion_laughs_attack).

However, adding below code in XMLPropertyListParser seems to restrict the vulnerability. FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

Please review.

3breadt commented 5 years ago

Can you please share an example on how the Billion-laugh attack can be launched against the XMLPropertyListParser? Because I cannot reproduce it.

All recommended factory settings as per the XXE prevention cheat sheet are already in place. See #26.

A quick unit test confirmed that the current settings prevent the attack. The following exception is thrown by the parser: [Fatal Error] :1:1: JAXP00010001: The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK

So what is the added benefit of XMLConstants.FEATURE_SECURE_PROCESSING?

zahiritpro commented 5 years ago

Can you try parsing with the xml content in below link https://en.wikipedia.org/wiki/Billion_laughs_attack#Code_example

3breadt commented 5 years ago

That's exactly the XML I used for testing.

3breadt commented 5 years ago

If you don't object, I would close this issue.

zahiritpro commented 5 years ago

Yeah I see the test working fine. I could notice if fSecureProcess property of DocumentBuilderFactory is true, the parser works fine. This property wasn't true when I tried in my application, hence the attack was through. Will check what is different

You shall close the issue. Thank you..!