-
Notifications
You must be signed in to change notification settings - Fork 464
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XXE vulnerability in GenericPackager #462
Comments
GenericPackager configuration is usually read from the classpath. Having the ability to define entities is a nice to have feature that improves code readability. Somebody with enough access to the classpath to use an XXE have easier ways to compromise the system. Can you provide a use case where a GenericPackager configuration could be injected from a remote host? |
Well, you can't enforce it. IMO it should be secure by default, security > code readability. I'd rather disable external entities by default and make it possible to configure XML reader features for GenericPackager, so that anyone who actually needs it can redefine it. |
Fair enough. I'll reopen the issue and think about a way to configure it to reenable the feature. |
GenericPackager (as well as GenericValidatingPackager) are vulnerable to XML External Entity (XEE) attack.
Here is the test example that reproduces it
The
xxe
entity is getting resolved and request goes tohttps://jposxee.free.beeceptor.com/hacked
(it's just a mock API):It's not a finalized test that you can check in, but it gives you the idea.
The text was updated successfully, but these errors were encountered: