Bug 1108548 - [QE] (6.4.0) Resteasy secure processing to be turn on by default to apply entity expansion limit
Summary: [QE] (6.4.0) Resteasy secure processing to be turn on by default to apply ent...
Keywords:
Status: CLOSED DUPLICATE of bug 1090487
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: RESTEasy
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: EAP 6.4.0
Assignee: Ron Sigal
QA Contact: Katerina Odabasi
Russell Dickenson
URL:
Whiteboard:
: 1104497 (view as bug list)
Depends On: 1090487
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-12 08:35 UTC by Katerina Odabasi
Modified: 2014-10-23 23:35 UTC (History)
7 users (show)

Fixed In Version:
Clone Of: 1090487
Environment:
Last Closed: 2014-07-21 18:11:44 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RESTEASY-1055 0 Major Closed Resteasy secure processing to be turn on by default to apply entity expansion limit 2015-08-03 22:58:37 UTC

Description Katerina Odabasi 2014-06-12 08:35:16 UTC 
+++ This bug was initially created as a clone of Bug #1090487 +++

Description of problem:
TestXXESecureProcessing testcase fails on the following tests:
Failed tests:   testXmlRootElementWithExternalExpansionBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>
  testXmlRootElementDefaultBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>
  testXmlRootElementWithoutExternalExpansionBig(org.jboss.resteasy.test.xxe.TestXXESecureProcessing): expected:<400> but was:<200>


Version-Release number of selected component (if applicable):
6.3.0.ER2

How reproducible:
always

Steps to Reproduce:
1. git clone https://github.com/resteasy/Resteasy.git resteasy-ts; cd resteasy-ts
2. uncomment xercesImpl dependency in resteasy-jaxb-provider project pom
3. mvn clean verify -fn -pl :resteasy-jaxb-provider,:resteasy-test-tjws,:tjws -Dtest=TestXXESecureProcessing

Actual results:
The response is 200 (OK) instead of

Expected results:
status: 400
Result: <HTML><HEAD><TITLE>400 javax.xml.bind.UnmarshalException</TITLE></HEAD><BODY BGCOLOR="#D1E9FE"><H2>400 javax.xml.bind.UnmarshalException</H2><PRE>
 - with linked exception:
[org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 1; JAXP00010001: The parser has encountered more than &quot;64000&quot; entity expansions in this document; this is the limit imposed by the JDK.]</PRE><HR><ADDRESS><A HREF="http://tjws.sourceforge.net">D. Rogatkin's TJWS based on Acme.Serve Version 1.70, $Revision: 1.194 $</A></ADDRESS></BODY></HTML>

Additional info:
The tests fails on any platform, with xercesImpl project dependency defined. It fails with xerces:xercesImpl:2.9.1-redhat-4 provided by EAP and also with xerces:xercesImpl:2.9.1 upstream dependecy.

--- Additional comment from Katerina Novotna on 2014-06-09 04:31:25 EDT ---

----- Original Message -----
From: "Ron Sigal" <rsigal>
To: "Katerina Novotna" <kanovotn>
Cc: "Stuart Douglas" <sdouglas>, "Kabir Khan" <kkhan>, "Pavel Slavicek" <pslavice>, "Rostislav Svoboda" <rsvoboda>, "Arun Neelicattu" <abn>, "Bill Burke" <bburke>, "Weinan Li" <weli>
Sent: Friday, June 6, 2014 9:44:29 PM
Subject: Re: XML eXternal Entity (XXE) - does expand always in particular testcase

...

2. A DOS attack can be based on the expansion of a very large entity, 
external or internal, possibly causing buffer overruns.  For example,

    String doctype =
          "<!DOCTYPE foodocument [" +
                "<!ENTITY foo 'foo'>" +
                "<!ENTITY foo1 
'&foo;&foo;&foo;&foo;&foo;&foo;&foo;&foo;&foo;&foo;'>" +
                "<!ENTITY foo2 
'&foo1;&foo1;&foo1;&foo1;&foo1;&foo1;&foo1;&foo1;&foo1;&foo1;'>" +
                "<!ENTITY foo3 
'&foo2;&foo2;&foo2;&foo2;&foo2;&foo2;&foo2;&foo2;&foo2;&foo2;'>" +
                "<!ENTITY foo4 
'&foo3;&foo3;&foo3;&foo3;&foo3;&foo3;&foo3;&foo3;&foo3;&foo3;'>" +
                "<!ENTITY foo5 
'&foo4;&foo4;&foo4;&foo4;&foo4;&foo4;&foo4;&foo4;&foo4;&foo4;'>" +
                "<!ENTITY foo6 
'&foo5;&foo5;&foo5;&foo5;&foo5;&foo5;&foo5;&foo5;&foo5;&foo5;'>" +
                ...
                "]>";

    String small = doctype + 
"<favoriteMovieXmlRootElement><title>&foo4;</title></favoriteMovieXmlRootElement>";
    String big   = doctype + 
"<favoriteMovieXmlRootElement><title>&foo5;</title></favoriteMovieXmlRootElement>";

in TestXXESecureProcessing. Now, if 
"resteasy.document.expand.entity.references" is set to false, there's no 
problem.  But if it's not set to false, the usual unmarshaling process 
takes place in AbstractJAXBProvider. Now, JAXP has an 
"entityExpansionLimit" parameter, which is supposed to default to 64000, 
which causes an Exception to be thrown if too many expansions occur.  
That's the reason I contacted you in the first place, since our version 
of xerces doesn't enforce that limit. 
https://jaxp.java.net/1.4/JAXP-Compatibility.html says that the limit 
takes effect if the "secure processing feature" is turned on, and it 
also says that the secure processing feature should be turned on by 
default.  Apparently, that doesn't happen in our version of xerces.
 ===================================================================

This problem should be listed in known issues for EAP 6.3.0.
Comment 2 Katerina Odabasi 2014-07-16 11:07:39 UTC 
*** Bug 1104497 has been marked as a duplicate of this bug. ***
Comment 5 Carlo de Wolf 2014-07-21 18:11:44 UTC 

*** This bug has been marked as a duplicate of bug 1090487 ***
Comment 6 JBoss JIRA Server 2014-10-23 23:00:15 UTC 
Ron Sigal <ron.sigal> updated the status of jira RESTEASY-1055 to Resolved
Comment 7 JBoss JIRA Server 2014-10-23 23:35:49 UTC 
Ron Sigal <ron.sigal> updated the status of jira RESTEASY-1055 to Closed
Note You need to log in before you can comment on or make changes to this bug.