From 345a8534ff39cc9550cbacabe2b3fffe20293508 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 22 Jun 2017 14:26:15 +0200 Subject: implement a workaround to fix XXE and SSRF problems in an old XMLStreamParser implementation of a third party library --- .../main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'BKUViewer/src') diff --git a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java index fe48eefa..95d2b78c 100644 --- a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java +++ b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java @@ -139,6 +139,16 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator { spf.setValidating(true); spf.setXIncludeAware(false); + try { + spf.setFeature("http://xml.org/sax/features/external-general-entities", false); + spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + + } catch (Exception e) { + log.error("Can NOT set SAX parser security features. -> XML parsing is possible insecure!!!! ", e); + + } + SAXParser parser; try { parser = spf.newSAXParser(); @@ -150,6 +160,7 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator { throw new RuntimeException("Failed to create SLXHTML parser.", e); } + InputSource source; if (charset != null) { source = new InputSource(new InputStreamReader(is, charset)); -- cgit v1.2.3 From d840a372f84518c4026efd3d463cfcffac930e46 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Thu, 22 Jun 2017 14:56:15 +0200 Subject: update jUnit test do validate XXE prevention in Signed data viewer --- .../java/at/gv/egiz/bku/slxhtml/ValidatorTest.java | 22 ++++++++++++++++++++++ .../gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml | 21 +++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml (limited to 'BKUViewer/src') diff --git a/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java b/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java index 1dd8c45f..d51b52eb 100644 --- a/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java +++ b/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java @@ -71,4 +71,26 @@ public class ValidatorTest { } + @Test + public void testValidateWithDocType() throws ValidationException { + + String slxhtmlFile = "at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml"; + + Validator validator = ValidatorFactory.newValidator("application/xhtml+xml"); + + ClassLoader cl = ValidatorTest.class.getClassLoader(); + InputStream slxhtml = cl.getResourceAsStream(slxhtmlFile); + long t0 = System.currentTimeMillis(); + try { + validator.validate(slxhtml, null); + + } catch (ValidationException e) { + e.printStackTrace(); + throw e; + } + long t1 = System.currentTimeMillis(); + log.info("Validated SLXHTML file '{}' in {}ms.", slxhtmlFile, t1 - t0); + + } + } diff --git a/BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml b/BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml new file mode 100644 index 00000000..7417897f --- /dev/null +++ b/BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml @@ -0,0 +1,21 @@ + + +]> + + + &xxe;Signatur der Anmeldedaten + + + +

Signatur der Anmeldedaten

+

+

Mit meiner elektronischen Signatur beantrage ich, Horst Rotzstopper, geboren am 12.12.1985, den Zugang zur gesicherten Anwendung.

+

+

Datum und Uhrzeit: 07.11.2008, 14:04:18

+

wbPK(*): LTpz8VYzns2jrx0J8Gm/R/nAhxA=

+

+
+
(*) wbPK: Das wirtschaftsbereichsspezifische Personenkennzeichen wird aus den jeweiligen Stammzahlen des Bürgers und des Wirtschaftsunternehmens berechnet und ermöglicht eine eindeutige Zuordnung des Bürgers zum Wirtschaftsunternehmen.
+ + \ No newline at end of file -- cgit v1.2.3 From 0603c0fbdfe028113431c65590b6e7e28929f6f6 Mon Sep 17 00:00:00 2001 From: Thomas Lenz Date: Fri, 23 Jun 2017 06:50:14 +0200 Subject: some small refactoring and code documentation --- BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java | 3 +++ 1 file changed, 3 insertions(+) (limited to 'BKUViewer/src') diff --git a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java index 95d2b78c..6fea75cb 100644 --- a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java +++ b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java @@ -139,6 +139,9 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator { spf.setValidating(true); spf.setXIncludeAware(false); + /* + * Set parser features to disallow external entities and external dtd load operations + */ try { spf.setFeature("http://xml.org/sax/features/external-general-entities", false); spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); -- cgit v1.2.3