Closed zahiritpro closed 5 years ago
Can you please share an example on how the Billion-laugh attack can be launched against the XMLPropertyListParser? Because I cannot reproduce it.
All recommended factory settings as per the XXE prevention cheat sheet are already in place. See #26.
A quick unit test confirmed that the current settings prevent the attack. The following exception is thrown by the parser:
[Fatal Error] :1:1: JAXP00010001: The parser has encountered more than "64000" entity expansions in this document; this is the limit imposed by the JDK
So what is the added benefit of XMLConstants.FEATURE_SECURE_PROCESSING
?
Can you try parsing with the xml content in below link https://en.wikipedia.org/wiki/Billion_laughs_attack#Code_example
That's exactly the XML I used for testing.
If you don't object, I would close this issue.
Yeah I see the test working fine. I could notice if fSecureProcess property of DocumentBuilderFactory is true, the parser works fine. This property wasn't true when I tried in my application, hence the attack was through. Will check what is different
You shall close the issue. Thank you..!
Able to launch Billion Laugh attack (https://en.wikipedia.org/wiki/Billion_laughs_attack).
However, adding below code in XMLPropertyListParser seems to restrict the vulnerability. FACTORY.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Please review.