-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve DTD/XSD security with regard to remote resources #671
Comments
At first which vesion of vscode xml are you using? We fixed several xxe issues in 1.9.1. If I understand correctly you are not in unstruted workspace context. So you could have some xxe issues. If you are in unstrusted it should never load your dtd from system and external entities. In trusted workspace it should download only dtd in system but not from external entities except if you have set the resolveexternalentities setting to true. |
I understand the problem, but the keyword here is "trusted". You already trust the workspace to behave properly. Do you expect another level of trust to prevent remote queries to be performed? (which you can disable with by setting the "xml.downloadExternalResources.enabled" preference to "false") |
I'm running the latest version of this extension, which means |
Turning by default "xml.downloadExternalResources.enabled` means that you will loose all fetaures based on XSD/DTD (XML completion based on XSD/DTD, XML validation based on XSD/DTD, etc), in other words you will benefit with few features like XML syntax validation. Your case is about external entities which shoule be managed with My question is if you set |
My server is still called no matter if the |
Thanks for your feedback. I need to understand why url is called. I wonder if the file is downloaded in lemminx cache or if this call is just to check the existing of the url. |
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
@m-1tZ I work on this issue, see eclipse-lemminx/lemminx#1183 (comment) |
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes redhat-developer/vscode-xml#671 Signed-off-by: azerr <[email protected]>
Fixes #671 Signed-off-by: azerr <[email protected]>
Issue
While testing for an XXE vulnerability in an application, I noticed a strange behavior from my VSCode. I could trace this back to your VSCode extension (XML Language Support by Red Hat) which executes my
payload.dtd
when opened in trusted mode or within a trusted project, and leaked my own files to my web server. The DTD payload can be seen in the following:Execution
The file
/tmp/secret.txt
contains sensitive information and represents an arbitrary file on the filesystem of the victim. Upon the opened DTD file, the VSCode XML extension executes the payload and the destination server receives requests of the file content, which can be seen down below:Impact
Any *.dtd payload that is opened in a trusted VSCode project, will leak arbitrary files to an remote attacker and thus poses a major security problem. There are several ways distributing the DTD file to an victim (e.g. via a merge request, as an external file via a communication channel, via copy and paste platforms like StackOverflow,...).
The text was updated successfully, but these errors were encountered: