JDOM XXE Protection [CVE-2013-1856]

db8b636e · Ben Murphy · Aaron Patterson · 8be69139 · db8b636e · db8b636e
5 changed file
--- a/activesupport/lib/active_support/xml_mini/jdom.rb
+++ b/activesupport/lib/active_support/xml_mini/jdom.rb
@@ -37,6 +37,12 @@ def parse(data)
        {}
      else
        @dbf = DocumentBuilderFactory.new_instance
+        # secure processing of java xml
+        # http://www.ibm.com/developerworks/xml/library/x-tipcfsx/index.html
+        @dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
+        @dbf.setFeature("http://xml.org/sax/features/external-general-entities", false)
+        @dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
+        @dbf.setFeature(javax.xml.XMLConstants::FEATURE_SECURE_PROCESSING, true)
        xml_string_reader = StringReader.new(data)
        xml_input_source = InputSource.new(xml_string_reader)
        doc = @dbf.new_document_builder.parse(xml_input_source)

--- a/activesupport/test/fixtures/xml/jdom_doctype.dtd
+++ b/activesupport/test/fixtures/xml/jdom_doctype.dtd
+<!ENTITY a "external entity">
--- a/activesupport/test/fixtures/xml/jdom_entities.txt
+++ b/activesupport/test/fixtures/xml/jdom_entities.txt
+<!ENTITY a "hello">
--- a/activesupport/test/fixtures/xml/jdom_include.txt
+++ b/activesupport/test/fixtures/xml/jdom_include.txt
+include me
--- a/activesupport/test/xml_mini/jdom_engine_test.rb
+++ b/activesupport/test/xml_mini/jdom_engine_test.rb
@@ -3,9 +3,12 @@
  require 'active_support/xml_mini'
  require 'active_support/core_ext/hash/conversions'

+
  class JDOMEngineTest < ActiveSupport::TestCase
    include ActiveSupport

+    FILES_DIR = File.dirname(__FILE__) + '/../fixtures/xml'
+
    def setup
      @default_backend = XmlMini.backend
      XmlMini.backend = 'JDOM'
@@ -30,10 +33,41 @@ def test_file_from_xml
       assert_equal 'image/png', file.content_type
    end

+    def test_not_allowed_to_expand_entities_to_files
+      attack_xml = <<-EOT
+      <!DOCTYPE member [
+        <!ENTITY a SYSTEM "file://#{FILES_DIR}/jdom_include.txt">
+      ]>
+      <member>x&a;</member>
+      EOT
+      assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+    end
+
+  def test_not_allowed_to_expand_parameter_entities_to_files
+      attack_xml = <<-EOT
+      <!DOCTYPE member [
+        <!ENTITY % b SYSTEM "file://#{FILES_DIR}/jdom_entities.txt">
+        %b;
+      ]>
+      <member>x&a;</member>
+      EOT
+      assert_raise Java::OrgXmlSax::SAXParseException do
+        assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+      end
+    end
+
+
+    def test_not_allowed_to_load_external_doctypes
+      attack_xml = <<-EOT
+      <!DOCTYPE member SYSTEM "file://#{FILES_DIR}/jdom_doctype.dtd">
+      <member>x&a;</member>
+      EOT
+      assert_equal 'x', Hash.from_xml(attack_xml)["member"]
+    end
+
    def test_exception_thrown_on_expansion_attack
-      assert_raise NativeException do
+      assert_raise Java::OrgXmlSax::SAXParseException do
        attack_xml = <<-EOT
-      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE member [
        <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
        <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">