Uploaded image for project: 'GeoTools'
  1. GeoTools
  2. GEOT-5514

Parser options for DISABLE_EXTERNAL_ENTITIES and ENTITY_RESOLVER

    Details

    • Type: Bug
    • Status: Closed
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 15.1, 16-beta
    • Fix Version/s: 15.2, 16-RC1
    • Component/s: xml
    • Labels:
      None

      Description

      It is possible to perform an XML External Entity Injection attack in an XML files parsed by Geotools. Further details on XEE can be found here: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet

      A quick project put together to demonstrate the bug can be found here: https://github.com/aaronwaddell/geotools-xml-entity-injection

      The original StackExchange question regarding the issue can be found here: http://gis.stackexchange.com/questions/209377/prevent-xml-external-entity-injections-in-geotools-wms-client

      OWASP suggest disabling DTDs in order to prevent this kind of attack. It appears that Geotools was once doing this but the lines have since been commented out: org.geotools.xml.DocumentFactory:152-153. It is possible that this was done as a part of development some time ago and was never picked up on because of the lack unit tests for this class (the methods are static so I assume this is the reason).

      If disabling DTDs won't have a negative impact on dependent modules then I suggest we comment out these lines which had been confirmed to fix the issue. I also suggest that the use of PowerMock or the like is considered in order to allow for testing for static methods so that there is no regression.

        Attachments

          Activity

            People

            • Assignee:
              aaime aaime
              Reporter:
              Aaron Aaron Waddell
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: