-
Notifications
You must be signed in to change notification settings - Fork 279
XEE security enhancements
For details regarding XEE (XML ENTITY EXPANSION), see http://en.wikipedia.org/wiki/Billion_laughs.
Restlet Framework XEE vulnerability is referenced as CVE-2014-1868
Thanks to Alvaro Munoz from HP Fortify for reporting the issue and his assistance with the CVE process.
Are subject to XEE vulnerability, user codes that rely on the following Restlet Framework extensions :
- "xml" extension,
- "atom", "javamail", "lucene", "odata", "openid", "rdf", "wadl", "xdb" that directly depends on the "xml" extension.
- "jackson", "jaxb", "jibx", "xstream", "rome" that provides automatic converters.
The following Restlet Framework components are concerned :
- XMLRepresentation and its sub classes : SaxRepresentation, DomRepresentation.
- but also representations that help handling serialization/deserializations from class instances to XML streams : JacksonRepresentation, JibxRepresentation, XStreamRepresentation, SyndFeedRepresentation (rome).
The security fix ensures incoming XML streams are parsed safely : at the representation level, we've added specific attributes, accessors and constructors (in case XML parsing happens at instantiation time)
The XmlRepresentation (and inherited DOMRepresentation and SaxRepresentation), JacksonRepresentation classes and subclasses declare two new attributes :
- "expandingEntityRefs": instance attribute which specifies if the parser should expand entity referenced nodes, default value : false (inherited from XML_EXPANDING_ENTITY_REFS),
- "validatingDtd": instance attribute to enforce XML stream validation against a DTD, default value : false (inherited from XML_VALIDATING_DTD).
Starting with Restlet Framework versions 2.1.7 and 2.2 RC1, you need to override these attributes to true if you need Entity Expansion or DTD validation. In these cases, you 'll be subject to XEE vulnerability.
Moreover, the SaxRepresentation and its subclasses declare a third new attribute :
- "secureProcessing": instance attribute which activates the Sax internal secure processing feature (to avoid XML overflow attacks), default value : true (inherited from XML_SECURE_PROCESSING).
In this case, the Restlet Framework engine calls XML converters, that leverage the Representation classes and subclasses discussed above.
The security fix enlarges the control you have regarding the XML parsing handled at the Representation level.
-
XML_EXPANDING_ENTITY_REFS: class attribute that sets the default value for the "expandingEntityRefs" instance attribute. Default value is false (inherited from the "org.restlet.ext.xml.expandingEntityRefs" system property).
-
XML_VALIDATING_DTD: boolean class attribute that provides the default value for the "validatingDtd" attribute. Default value is false (inherited from the "org.restlet.ext.xml.validatingDtd" system property).
-
XML_SECURE_PROCESSING boolean class attribute that provides the default value for the "secureProcessing" attribute. Default value is true (inherited from the "org.restlet.ext.xml.secureProcessing" system property).
The enhancements described above concern the Jackson and Jaxb parsers.
The Rome extension relies on JDOM. Our XEE internal tests did not reveal XEE vulnerability.
The XStream extension relies on SAX, and is explicitely configured to be XEE safe. Our XEE internal tests confirmed no XEE vulnerability.
Concerning the Jibx and Emf extensions, our XEE internal tests did not reveal XEE vulnerability. Yet, we welcome your feedbacks on these later extensions.