-
Notifications
You must be signed in to change notification settings - Fork 279
XEE security enhancements
For details regarding XEE (XML ENTITY EXPANSION), see http://fr.wikipedia.org/wiki/XML_entity_expansion.
Restlet Framework XEE vulnerability is referenced as CVE-2014-1868
Thanks to Alvaro Munoz from HP Fortify for reporting the issue and his assistance with the CVE process.
Are subject to XEE vulnerability, user codes that rely on the following Restlet Framework extensions :
- "xml"
- "atom", "javamail", "lucene", "odata", "openid", "rdf", "wadl", "xdb" that directly depends on the "xml" extension.
- "jackson", "jaxb", "jibx", "xstream", "rome" that provides automatic converters.
The following Restlet Framework components are concerned :
- XMLRepresentation and its sub classes : SaxRepresentation, DomRepresentation.
- but also representations that help handling serialization/deserializations from class instances to XML streams : JacksonRepresentation, JibxRepresentation, XStreamRepresentation, SyndFeedRepresentation (rome).
The security fix ensures you can safely parse incoming XML streams : at the representation level, we've added specific attributes, accessors and constructors (in case XML parsing happens at instantiation time) Read after for more details.
The XmlRepresentation (and inherited DOMRepresentation and SaxRepresentation), JacksonRepresentation classes and subclasses now declare two new attributes :
- "expandingEntityRefs": instance attribute that specifies that the parser will expand entity referenced nodes, default value : false (inherited from XML_EXPANDING_ENTITY_REFS),
- "validatingDtd": instance attribute to ask for validation of the XML Stream against a DTD, default value : false (inherited from XML_VALIDATING_DTD).
Starting with Restlet framework versions 2.1.7 and 2.2 RC1, you will set any of these attributes to true if you need Entity Expansion or DTD validation. In these cases, you 'll be subject to XEE vulnerability.
Moreover, the SaxRepresentation and its subclasses declare a third new attribute :
- "secureProcessing": boolean that positions the Sax internal secure processing feature, to avoid XML overflow attacks, default value : true (inherited from XML_SECURE_PROCESSING).
In this case, the Restlet Framework uses XML converters, that leverage Representations sublcasses (see above).
The security fix enlarges the control you now have regarding the XML parsing.
-
XML_EXPANDING_ENTITY_REFS: class attribute that sets the default value for the "expandingEntityRefs" instance attribute. Default value is false (inherited from the "org.restlet.ext.xml.expandingEntityRefs" system property).
-
XML_VALIDATING_DTD: boolean class attribute that provides the default value for the "expandingEntityRefs" attribute. Default value is false (inherited from the "org.restlet.ext.xml.validatingDtd" system property).
-
XML_SECURE_PROCESSING boolean class attribute that provides the default value for the "secureProcessing" attribute. Default value is true (inherited from the "org.restlet.ext.xml.secureProcessing" system property).
The enhancements described above concern the Jackson and Jaxb parsers.
The Rome extension relies on JDOM. Our XEE internal tests did not reveal XEE vulnerability.
The XStream extension relies on SAX, and is explicitely configured to be XEE sage. Our XEE internal tests confirmed no XEE vulnerability.
Concerning the Jibx and Emf extensions, our XEE internal tests did not reveal XEE vulnerability. Yet, we welcome your feedbacks on these later extensions.