Thanks for your feedback, I'll create a PR to add a system property to disable XML External Entity[1] leaving the default as it is.
[1] https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing On Thu, 27 Oct 2022 at 17:02, Gary Tully <gtu...@apache.org> wrote: > I recall this being reported via security@.. back in dec/2020: subject > - " ActiveMQ Artemis XXE in XMLUtil" > at that time I rejected it b/c it needs access to the file system. I > think that is still true. > We disable those features for xpath expansion, i guess it makes sense > to be able to disable for xml config parsing too, and a system > property would suffice, but I would leave the default as it is. > > On Thu, 27 Oct 2022 at 13:04, Clebert Suconic <clebert.suco...@gmail.com> > wrote: > > > > I think this is a good plan Dom. > > > > On Wed, Oct 26, 2022 at 6:06 PM Domenico Francesco Bruscino < > > brus...@apache.org> wrote: > > > > > An XML External Entity attack is a type of attack against an > application > > > that parses XML input. This attack occurs when XML input containing a > > > reference to an external entity is processed by a weakly configured XML > > > parser. This attack may lead to the disclosure of confidential data, > denial > > > of service, server side request forgery, port scanning from the > perspective > > > of the machine where the parser is located, and other system > impacts[1]. > > > > > > ActiveMQ Artemis is using xml include to support modularising > broker.xml[2] > > > so disabling XML External Entity[1] by default would break this > feature. > > > > > > A system property could be added to enable XML External Entity[1] to > > > mitigate this backward compatibility issue. While new users could use > > > broker properties[3] in place of modularising broker.xml[2]. > > > > > > Do you have any concerns? > > > > > > Regards, > > > Domenico > > > > > > [1] > > > > > > > https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing > > > [2] > > > > > > > https://github.com/apache/activemq-artemis/blob/main/docs/user-manual/en/configuration-index.md#modularising-brokerxml > > > [3] > > > > > > > https://github.com/apache/activemq-artemis/blob/main/docs/user-manual/en/configuration-index.md#broker-properties > > > > > -- > > Clebert Suconic >
