From 345a8534ff39cc9550cbacabe2b3fffe20293508 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Thu, 22 Jun 2017 14:26:15 +0200
Subject: implement a workaround to fix XXE and SSRF problems in an old
 XMLStreamParser implementation of a third party library

---
 .../main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java    | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'BKUViewer')

diff --git a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
index fe48eefa..95d2b78c 100644
--- a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
+++ b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
@@ -139,6 +139,16 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator {
     spf.setValidating(true);
     spf.setXIncludeAware(false);
     
+    try {    	
+    	spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+    	spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+    	spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+    	
+    } catch (Exception e) {
+    	log.error("Can NOT set SAX parser security features. -> XML parsing is possible insecure!!!! ", e);
+    	
+	}
+    
     SAXParser parser;
     try {
       parser = spf.newSAXParser();
@@ -150,6 +160,7 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator {
       throw new RuntimeException("Failed to create SLXHTML parser.", e);
     }
     
+       
     InputSource source;
     if (charset != null) {
       source = new InputSource(new InputStreamReader(is, charset));
-- 
cgit v1.2.3


From d840a372f84518c4026efd3d463cfcffac930e46 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Thu, 22 Jun 2017 14:56:15 +0200
Subject: update jUnit test do validate XXE prevention in Signed data viewer

---
 .../java/at/gv/egiz/bku/slxhtml/ValidatorTest.java | 22 ++++++++++++++++++++++
 .../gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml  | 21 +++++++++++++++++++++
 2 files changed, 43 insertions(+)
 create mode 100644 BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml

(limited to 'BKUViewer')

diff --git a/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java b/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java
index 1dd8c45f..d51b52eb 100644
--- a/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java
+++ b/BKUViewer/src/test/java/at/gv/egiz/bku/slxhtml/ValidatorTest.java
@@ -71,4 +71,26 @@ public class ValidatorTest {
     
   }
   
+  @Test
+  public void testValidateWithDocType() throws ValidationException {
+    
+    String slxhtmlFile = "at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml";
+    
+    Validator validator = ValidatorFactory.newValidator("application/xhtml+xml");
+
+    ClassLoader cl = ValidatorTest.class.getClassLoader();
+    InputStream slxhtml = cl.getResourceAsStream(slxhtmlFile);
+    long t0 = System.currentTimeMillis();
+    try {
+      validator.validate(slxhtml, null);
+      
+    } catch (ValidationException e) {
+      e.printStackTrace();
+      throw e;
+    }
+    long t1 = System.currentTimeMillis();
+    log.info("Validated SLXHTML file '{}' in {}ms.", slxhtmlFile, t1 - t0);
+    
+  }
+  
 }
diff --git a/BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml b/BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml
new file mode 100644
index 00000000..7417897f
--- /dev/null
+++ b/BKUViewer/src/test/resources/at/gv/egiz/bku/slxhtml/zugang_with_DocType.xhtml
@@ -0,0 +1,21 @@
+<!DOCTYPE lolz [
+	<!ELEMENT foo ANY >
+  <!ENTITY xxe SYSTEM "file:///etc/testtesttst" >
+]>
+<html xmlns="http://www.w3.org/1999/xhtml">
+  <head>
+    <title>&xxe;Signatur der Anmeldedaten</title>
+    <style media="screen" type="text/css">.boldstyle { font-weight: bold; } .italicstyle { font-style: italic; } .annotationstyle { font-size: small; }</style>
+  </head>
+  <body>
+    <h1>Signatur der Anmeldedaten</h1>
+    <p></p>
+    <h4>Mit meiner elektronischen Signatur beantrage ich, <span class="boldstyle">Horst Rotzstopper</span>, geboren am 12.12.1985, den Zugang zur gesicherten Anwendung.</h4>
+    <p></p>
+    <h4>Datum und Uhrzeit: 07.11.2008, 14:04:18</h4>
+    <h4>wbPK(*): LTpz8VYzns2jrx0J8Gm/R/nAhxA=</h4>
+    <p></p>
+    <hr></hr>
+    <div class="annotationstyle">(*) wbPK: Das <span class="italicstyle">wirtschaftsbereichsspezifische Personenkennzeichen</span> wird aus den jeweiligen Stammzahlen des Bürgers und des Wirtschaftsunternehmens berechnet und ermöglicht eine eindeutige Zuordnung des Bürgers zum		Wirtschaftsunternehmen.</div>
+  </body>
+</html>
\ No newline at end of file
-- 
cgit v1.2.3


From 0603c0fbdfe028113431c65590b6e7e28929f6f6 Mon Sep 17 00:00:00 2001
From: Thomas Lenz <thomas.lenz@egiz.gv.at>
Date: Fri, 23 Jun 2017 06:50:14 +0200
Subject: some small refactoring and code documentation

---
 BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'BKUViewer')

diff --git a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
index 95d2b78c..6fea75cb 100644
--- a/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
+++ b/BKUViewer/src/main/java/at/gv/egiz/bku/slxhtml/SLXHTMLValidator.java
@@ -139,6 +139,9 @@ public class SLXHTMLValidator implements at.gv.egiz.bku.viewer.Validator {
     spf.setValidating(true);
     spf.setXIncludeAware(false);
     
+    /*
+     * Set parser features to disallow external entities and external dtd load operations
+     */
     try {    	
     	spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
     	spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
-- 
cgit v1.2.3