1104497 – xercesImpl not turn on the secure processing feature by default

Bug 1104497 - xercesImpl not turn on the secure processing feature by default

Summary: xercesImpl not turn on the secure processing feature by default

Keywords:
Status:	CLOSED DUPLICATE of bug 1108548
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	RESTEasy
Sub Component:
Version:	6.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	EAP 6.3.0
Assignee:	Yong Yang
QA Contact:	Katerina Odabasi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-04 07:24 UTC by Yong Yang
Modified:	2017-10-10 00:24 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-16 11:07:39 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1090487	0	unspecified	CLOSED	[QE] (6.4.0) Resteasy secure processing to be turn on by default to apply entity expansion limit	2021-02-22 00:41:40 UTC

Internal Links: 1090487

Description Yong Yang 2014-06-04 07:24:34 UTC

Description of problem:

From "Ron Sigal" <rsigal> 's mail thread: "Another XXE issue".

------------

From: "Ron Sigal" <rsigal>
To: pjanouse, pjanouse
Cc: "Bill Burke" <bburke>, "Weinan Li" <weli>
Sent: Sunday, June 1, 2014 5:46:39 AM
Subject: Another XXE issue

Hi Pavel and David,

I've been looking at RESTEASY-1055 "TestXXESecureProcessing testcase
doesn't throw UnmarshalException", and I'm writing to you because you
were both involved with JBPAPP-8055, which concerned XXE attacks.  It
seems that different implementations of Xerces treat external entity
expansion differently.  JAXP specifies a default limit of 64000 for the
entityExpansionLimit parameter "when the secure processing feature is
on", but different implementations seem to handle entityExpansionLimit
differently. In particular, the version that ships with JDK 1.7 (which I
tested with originally) applies the limit (and throws an Exception when
it is violated) even when secure processing is turned off, but
"xerces:xercesImpl:2.9.1-redhat-4 provided by EAP", referred to by
RESTEASY-1055, ignores the limit when secure processing is turned off.

It seems that I need to turn on secure processing explicitly to ensure
that the entity expansion limit is observed, but I don't want to change
the existing behavior of Resteasy, so I propose to add a Resteasy
parameter, "resteasy.document.secure.processing", that can be used to
turn on secure processing.  If it is set to true, then it looks like I
have to use a wrapping unmarshaller like I did to prevent entity expansion.

Any comments?

-Ron

-----------

On 06/02/2014 08:44 AM, "Katerina Novotna" <kanovotn> wrote:

Hi Ron,

I'm thinking it is already late to include this fix to EAP 6.3.0. I propose to document this issue to known issues for EAP 6.3.0, with proposed "workaround"
that customer application needs to check the length of the expansion.

To the resolution of the issue itself - it seems to me more like problem of the current xerces implementation present in EAP rather than problem of resteasy itself.
It seems more clean to me to fix it in xerces directly.

What do you think?

Comment 1 Yong Yang 2014-06-04 07:26:40 UTC

Xerces Prod git repo: http://git.app.eng.bos.redhat.com/git/xerces2-j.git/

Comment 2 Katerina Odabasi 2014-07-16 11:07:39 UTC

Dublicate to https://bugzilla.redhat.com/show_bug.cgi?id=1108548

*** This bug has been marked as a duplicate of bug 1108548 ***

Note You need to log in before you can comment on or make changes to this bug.