Description of problem:
From "Ron Sigal" <email@example.com> 's mail thread: "Another XXE issue".
From: "Ron Sigal" <firstname.lastname@example.org>
To: email@example.com, firstname.lastname@example.org
Cc: "Bill Burke" <email@example.com>, "Weinan Li" <firstname.lastname@example.org>
Sent: Sunday, June 1, 2014 5:46:39 AM
Subject: Another XXE issue
Hi Pavel and David,
I've been looking at RESTEASY-1055 "TestXXESecureProcessing testcase
doesn't throw UnmarshalException", and I'm writing to you because you
were both involved with JBPAPP-8055, which concerned XXE attacks. It
seems that different implementations of Xerces treat external entity
expansion differently. JAXP specifies a default limit of 64000 for the
entityExpansionLimit parameter "when the secure processing feature is
on", but different implementations seem to handle entityExpansionLimit
differently. In particular, the version that ships with JDK 1.7 (which I
tested with originally) applies the limit (and throws an Exception when
it is violated) even when secure processing is turned off, but
"xerces:xercesImpl:2.9.1-redhat-4 provided by EAP", referred to by
RESTEASY-1055, ignores the limit when secure processing is turned off.
It seems that I need to turn on secure processing explicitly to ensure
that the entity expansion limit is observed, but I don't want to change
the existing behavior of Resteasy, so I propose to add a Resteasy
parameter, "resteasy.document.secure.processing", that can be used to
turn on secure processing. If it is set to true, then it looks like I
have to use a wrapping unmarshaller like I did to prevent entity expansion.
On 06/02/2014 08:44 AM, "Katerina Novotna" <email@example.com> wrote:
I'm thinking it is already late to include this fix to EAP 6.3.0. I propose to document this issue to known issues for EAP 6.3.0, with proposed "workaround"
that customer application needs to check the length of the expansion.
To the resolution of the issue itself - it seems to me more like problem of the current xerces implementation present in EAP rather than problem of resteasy itself.
It seems more clean to me to fix it in xerces directly.
What do you think?
Xerces Prod git repo: http://git.app.eng.bos.redhat.com/git/xerces2-j.git/
Dublicate to https://bugzilla.redhat.com/show_bug.cgi?id=1108548
*** This bug has been marked as a duplicate of bug 1108548 ***