Bug 1108548

Summary: [QE] (6.4.0) Resteasy secure processing to be turn on by default to apply entity expansion limit
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Katerina Odabasi <kanovotn>
Component: RESTEasyAssignee: Ron Sigal <rsigal>
Status: CLOSED DUPLICATE QA Contact: Katerina Odabasi <kanovotn>
Severity: medium Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.3.0CC: aneelica, cdewolf, kanovotn, myarboro, rsvoboda, vtunka, yyang
Target Milestone: ---Keywords: Triaged
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1090487 Environment:
Last Closed: 2014-07-21 18:11:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1090487    
Bug Blocks:    

Description Katerina Odabasi 2014-06-12 08:35:16 UTC 
+++ This bug was initially created as a clone of Bug #1090487 +++

Description of problem:
TestXXESecureProcessing testcase fails on the following tests:
Failed tests:   testXmlRootElementWithExternalExpansionBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>
  testXmlRootElementDefaultBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>
  testXmlRootElementWithoutExternalExpansionBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>


Version-Release number of selected component (if applicable):
6.3.0.ER2

How reproducible:
always

Steps to Reproduce:
1. git clone https://github.com/resteasy/Resteasy.git resteasy-ts; cd resteasy-ts
2. uncomment xercesImpl dependency in resteasy-jaxb-provider project pom
3. mvn clean verify -fn -pl :resteasy-jaxb-provider,:resteasy-test-tjws,:tjws -Dtest=TestXXESecureProcessing

Actual results:
The response is 200 (OK) instead of

Expected results:
status: 400
Result: <HTML><HEAD><TITLE>400 javax.xml.bind.UnmarshalException</TITLE></HEAD><BODY BGCOLOR="#D1E9FE"><H2>400 javax.xml.bind.UnmarshalException</H2><PRE>
 - with linked exception:
[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; JAXP00010001: The parser has encountered more than &quot;64000&quot; entity expansions in this document; this is the limit imposed by the JDK.]</PRE><HR><ADDRESS><A HREF="http://tjws.sourceforge.net">D. Rogatkin's TJWS based on Acme.Serve Version 1.70, $Revision: 1.194 $</A></ADDRESS></BODY></HTML>

Additional info:
The tests fails on any platform, with xercesImpl project dependency defined. It fails with xerces:xercesImpl:2.9.1-redhat-4 provided by EAP and also with xerces:xercesImpl:2.9.1 upstream dependecy.

--- Additional comment from Katerina Novotna on 2014-06-09 04:31:25 EDT ---

----- Original Message -----
From: "Ron Sigal" <rsigal>
To: "Katerina Novotna" <kanovotn>
Cc: "Stuart Douglas" <sdouglas>, "Kabir Khan" <kkhan>, "Pavel Slavicek" <pslavice>, "Rostislav Svoboda" <rsvoboda>, "Arun Neelicattu" <abn>, "Bill Burke" <bburke>, "Weinan Li" <weli>
Sent: Friday, June 6, 2014 9:44:29 PM
Subject: Re: XML eXternal Entity (XXE) - does expand always in particular testcase

...

2. A DOS attack can be based on the expansion of a very large entity, 
external or internal, possibly causing buffer overruns.  For example,

    String doctype =
          "<!DOCTYPE foodocument [" +
                "<!ENTITY foo 'foo'>" +
                "<!ENTITY foo1 
'&foo;&foo;&foo;&foo;&foo;&foo;&foo;&foo;&foo;&foo;'>" +
                "<!ENTITY foo2 
'&foo1;&foo1;&foo1;&foo1;&foo1;&foo1;&foo1;&foo1;&foo1;&foo1;'>" +
                "<!ENTITY foo3 
'&foo2;&foo2;&foo2;&foo2;&foo2;&foo2;&foo2;&foo2;&foo2;&foo2;'>" +
                "<!ENTITY foo4 
'&foo3;&foo3;&foo3;&foo3;&foo3;&foo3;&foo3;&foo3;&foo3;&foo3;'>" +
                "<!ENTITY foo5 
'&foo4;&foo4;&foo4;&foo4;&foo4;&foo4;&foo4;&foo4;&foo4;&foo4;'>" +
                "<!ENTITY foo6 
'&foo5;&foo5;&foo5;&foo5;&foo5;&foo5;&foo5;&foo5;&foo5;&foo5;'>" +
                ...
                "]>";

    String small = doctype + 
"<favoriteMovieXmlRootElement><title>&foo4;</title></favoriteMovieXmlRootElement>";
    String big   = doctype + 
"<favoriteMovieXmlRootElement><title>&foo5;</title></favoriteMovieXmlRootElement>";

in TestXXESecureProcessing. Now, if 
"resteasy.document.expand.entity.references" is set to false, there's no 
problem.  But if it's not set to false, the usual unmarshaling process 
takes place in AbstractJAXBProvider. Now, JAXP has an 
"entityExpansionLimit" parameter, which is supposed to default to 64000, 
which causes an Exception to be thrown if too many expansions occur.  
That's the reason I contacted you in the first place, since our version 
of xerces doesn't enforce that limit. 
https://jaxp.java.net/1.4/JAXP-Compatibility.html says that the limit 
takes effect if the "secure processing feature" is turned on, and it 
also says that the secure processing feature should be turned on by 
default.  Apparently, that doesn't happen in our version of xerces.
 ===================================================================

This problem should be listed in known issues for EAP 6.3.0.
Comment 2 Katerina Odabasi 2014-07-16 11:07:39 UTC 
*** Bug 1104497 has been marked as a duplicate of this bug. ***
Comment 5 Carlo de Wolf 2014-07-21 18:11:44 UTC 

*** This bug has been marked as a duplicate of bug 1090487 ***
Comment 6 JBoss JIRA Server 2014-10-23 23:00:15 UTC 
Ron Sigal <ron.sigal> updated the status of jira RESTEASY-1055 to Resolved
Comment 7 JBoss JIRA Server 2014-10-23 23:35:49 UTC 
Ron Sigal <ron.sigal> updated the status of jira RESTEASY-1055 to Closed