[jira] [Commented] (CXF-6217) JmsPullPoint does not protect against external entities

Tue, 30 Jun 2015 00:19:24 -0700 

    [ 
https://issues.apache.org/jira/browse/CXF-6217?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14607679#comment-14607679
 ] 

Donald Kwakkel commented on CXF-6217:
-------------------------------------

Can you answer my previous comment?

Also found some more occurences (CXF 3.1.1):
1. org.apache.cxf.jaxrs.ext.xml.XmlSource:    XPath xpath = 
XPathFactory.newInstance().newXPath();
2. org.apache.cxf.jaxrs.provider.XSLTJaxbProvider:   factory = 
(SAXTransformerFactory)TransformerFactory.newInstance();
3. org.apache.cxf.tools.validator.internal.ValidatorUtil : 
DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance();
4. org.apache.cxf.tools.common.toolspec.ToolSpec : Transformer trans = 
TransformerFactory.newInstance().newTransformer(new StreamSource(stylesheet));
5. 
org.apache.cxf.management.web.browser.bootstrapping.SimpleXMLSettingsStorage: 
entries = (Entries) unmarshaller.unmarshal(file);
6. org.apache.cxf.tools.validator.internal.SchemaValidator:   SAXSource 
saxSource = new SAXSource(saxParser.getXMLReader(), wsdlsource);
7. org.apache.cxf.tools.wsdlto.core.PluginLoader: return (Plugin) 
((JAXBElement<?>)unmarshaller.unmarshal(is)).getValue();
8. 
org.apache.cxf.transport.http.netty.server.blueprint.NettyHttpServerEngineFactoryHolder:
  Element element = docFactory.newDocumentBuilder().parse(new 
ByteArrayInputStream(parsedElement.getBytes())).getDocumentElement();
9. 
org.apache.cxf.transport.http_jetty.blueprint.JettyHTTPServerEngineFactoryHolder:
 Element element = docFactory.newDocumentBuilder().parse(new 
ByteArrayInputStream(parsedElement.getBytes())).getDocumentElement();
10. org.apache.cxf.tools.wsdlto.databinding.jaxb.NamespaceContextImpl: document 
= docFact.newDocumentBuilder().parse(file);



Do you want a new ticket for this?


> JmsPullPoint does not protect against external entities
> -------------------------------------------------------
>
>                 Key: CXF-6217
>                 URL: https://issues.apache.org/jira/browse/CXF-6217
>             Project: CXF
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 3.0.1
>            Reporter: Donald Kwakkel
>            Assignee: Daniel Kulp
>             Fix For: 3.0.4, 2.7.15
>
>
> I am not sure if this is by design, but the unmarshell below does not prevent 
> nor limit external entities resolution. This can expose the parser to an XML 
> External Entities attack.
> JmsPullPoint:
> {code:java}
>  protected synchronized List<NotificationMessageHolderType> getMessages(int 
> max) 
>         throws ResourceUnknownFault, UnableToGetMessagesFault {
>         try {
>             if (max == 0) {
>                 max = 256;
>             }
>             initSession();
>             List<NotificationMessageHolderType> messages = new 
> ArrayList<NotificationMessageHolderType>();
>             for (int i = 0; i < max; i++) {
>                 Message msg = consumer.receiveNoWait();
>                 if (msg == null) {
>                     break;
>                 }
>                 TextMessage txtMsg = (TextMessage) msg;
>                 StringReader reader = new StringReader(txtMsg.getText());
>                 Notify notify = (Notify) 
> jaxbContext.createUnmarshaller().unmarshal(reader);
>                 messages.addAll(notify.getNotificationMessage());
>             }
>             return messages;
>         }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to