Description of problem: Beaker is vulnerable to "XXE" (XML external entity) attacks. An authenticated user can submit a job XML to the scheduler containing entity references which reference files from the Beaker server's filesystem, thereby causing the contents to be disclosed in the web UI. For example: <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <job> <whiteboard>&xxe;</whiteboard> <recipeSet> <recipe> <distroRequires> <distro_arch op="=" value="x86_64"/> </distroRequires> <hostRequires/> <task name="/distribution/install" role="STANDALONE"/> </recipe> </recipeSet> </job> This can be exploited to reveal sensitive information from the filesystem accessible by the apache user, including Kerberos keytabs and the database password in /etc/beaker/server.cfg. Note that there are no known ways to exploit this as an anonymous user. It requires malicious action from a user with a valid Beaker account. Version-Release number of selected component (if applicable): all Beaker versions are vulnerable Steps to Reproduce: 1. Log in to Beaker as any user account 2. Submit a specially craft job using external entity expansion, as per the above example 3. View the job in the web UI Actual results: Contents of /etc/passwd are revealed in the job whiteboard. Expected results: Job should not be accepted, it should fail to parse due to an undefined entity. Additional info: https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
Created attachment 1020003 [details] proposed patch
Verified this issue. The result is PASS. Version: Beaker 20.1.git.5.24dc482 Steps: 1. Log in to Beaker as any user account 2. Submit a specially craft job using external entity expansion, as per the above example in description Result: Failed to import job
Beaker 20.1 has been released.