Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent XXE injection when parsing XML #602

Merged
merged 1 commit into from
Jul 19, 2023
Merged

Prevent XXE injection when parsing XML #602

merged 1 commit into from
Jul 19, 2023

Conversation

Lejdborg
Copy link
Contributor

@Lejdborg Lejdborg commented Aug 16, 2021
edited
Loading

Fixes

Fixes #488

Purpose

WS API response.xml is vulnerable to XXE injection attacks. Tracing the issue it seems to have been introduced a few years ago when the custom XML parser was replaced by a default one without the xercesSaxParserFactory.

I have reverted the code to using the custom factory parser.

cchantep
cchantep reviewed Oct 11, 2021
View reviewed changes
play-ws-standalone-xml/src/main/scala/play/api/libs/ws/XMLBodyReadables.scala
@@ -25,7 +25,7 @@ trait XMLBodyReadables {
* }}}
*/
implicit val readableAsXml: BodyReadable[Elem] = BodyReadable { response =>
xml.XML.load(new InputSource(new ByteArrayInputStream(response.bodyAsBytes.toArray)))
XML.parser.load(new InputSource(new ByteArrayInputStream(response.bodyAsBytes.toArray)))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand how that fix the issue?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

xml.XML.load initializes the default Scala XML parser without security configuration, while XML.parser calls the XML parser defined in https://github.com/playframework/play-ws/blob/main/play-ws-standalone-xml/src/main/scala/play/api/libs/ws/XML.scala. That parser sets a non-default SAX parser that prevents XML injection.

@mkurz
Copy link
Member

mkurz commented Jun 5, 2023

@xuwei-k what do you think about this fix?

xuwei-k
xuwei-k approved these changes Jul 8, 2023
View reviewed changes
Copy link
Contributor

@xuwei-k xuwei-k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@mkurz mkurz merged commit e5ab9fb into playframework:main Jul 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cchantep cchantep cchantep left review comments

@xuwei-k xuwei-k xuwei-k approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

XMLBodyReadables has "XML External Entity Injection" vulnerability
4 participants
@Lejdborg @mkurz @cchantep @xuwei-k