k2n / saml20-clj

A Clojure SAML 2.0 library for SSO
0 stars 1 forks source link

Vulnerable default configuration #3

Closed Elknar closed 6 years ago

Elknar commented 6 years ago

The current default config allows external entity processing: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing . This will lead to an XML injection issue, at the very least allowing an unauthorized party read access to the file system.

Adding this to the new-doc-builder fn should help

 (.setFeature doc "http://xml.org/sax/features/external-parameter-entities" false)
 (.setFeature doc "http://apache.org/xml/features/nonvalidating/load-external-dtd" false)
 (.setExpandEntityReferences doc false)

Additionally, there are no restrictions on the entity size, this may lead to denial of service with an XML bomb.

k2n commented 6 years ago

Applied the change. Thanks for raising the issue.

Elknar commented 6 years ago

@k2n terribly sorry, I forgot to include an important part in the original post: (.setFeature doc "http://xml.org/sax/features/external-general-entities" false) is also necessary, as the above only protects from external parameters.