Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update: XML External Entity Prevention Cheat Sheet #966

Closed
JoeFound opened this issue Aug 19, 2022 · 2 comments
Closed

Update: XML External Entity Prevention Cheat Sheet #966

JoeFound opened this issue Aug 19, 2022 · 2 comments
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.

Comments

@JoeFound
Copy link
Contributor

What is missing or needs to be updated?

The section JAXP DocumentBuilderFactory, SAXParserFactory and DOM4J is a bit confusing to understand correctly when deciding what are the features to consider.
The section:
// and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" dbf.setXIncludeAware(false); dbf.setExpandEntityReferences(false);
sounds as it is required only when disallow-doctype-decl is not applicable, whilst it is required in all cases.

Additionally setExpandEntityReferences(false); is a not available for SAXParserFactory, where it would be possible to use

setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
to mitigate the risk of Resource Exaustion.

How should this be resolved?

Adding additional comments before the dbf.setXIncludeAware(false); line to clarify that is required regardless of the Xerces version and possibly add a separate code snippet section featuring the remediation for SAXParserFactory.
@JoeFound JoeFound added ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet. labels Aug 19, 2022
@mackowski
Copy link
Collaborator

Good point! Thanks! @JoeFound do you want to make a PR?

@mackowski mackowski added ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. and removed ACK_WAITING Issue waiting acknowledgement from core team before to start the work to fix it. labels Oct 17, 2022
@JoeFound JoeFound mentioned this issue Mar 15, 2023
Merged
8 tasks
@JoeFound
Copy link
Contributor Author

Closing this Issue, since the PR is now merged

@chadlwilson chadlwilson mentioned this issue Jul 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ACK_OBTAINED Issue acknowledged from core team so work can be done to fix it. HELP_WANTED Issue for which help is wanted to do the job. UPDATE_CS Issue about the update/refactoring of a existing cheat sheet.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JoeFound @mackowski