Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-12894

[camel-xslt] Unable to disable external entity injection to prevent XXE attack-Karaf

    XMLWordPrintable

Details

    • Bug
    • Status: Done
    • Major
    • Resolution: Done
    • fuse-7.5-GA
    • fuse-7.7-GA
    • Camel, Fuse Standalone
    • None
    • fuse-7.7-build1
    • +

    Description

      Camel-XSLT component TransformerFactory uses "net.sf.saxon.TransformerFactoryImpl" transformer factory implementation by default, if relevant Saxon library can be found on classpath.

      For a XSL stylesheet like:

      <!DOCTYPE sample [<!ENTITY ext_file SYSTEM "file:///etc/passwd">]>
      <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
      	<xsl:output method="text" omit-xml-declaration="yes"/>
      	<xsl:template match="/">
      	&ext_file;
      	</xsl:template>
      </xsl:stylesheet>
      

      Camel-XSLT route using the "net.sf.saxon.TransformerFactoryImpl" will access and download content of the external file "/etc/passwd" and it results XXE attack.

      It is possible to use "om.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl" by setting

      -Djavax.xml.transform.TransformerFactory=
      com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
      

      in this case, the camel-xslt route will throw an exception instead:

      org.xml.sax.SAXParseException: External Entity: Failed to read external document 'passwd', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.
      

      However, there is no way to achieve the same when using "net.sf.saxon.TransformerFactoryImpl".

      The Apache Xalan only supports XSLT 1.0 while Saxon supports higher version XSLT version. Therefore, we will need a way to disable external file access when using Saxon.

      Attachments

        1. camel-core-2.21.0.fuse-750033-redhat-00001.jar
          4.60 MB
        2. camel-core-2.21.0.fuse-750033-redhat-00001.jar
          4.60 MB
        3. new-revised.tar
          58 kB
        4. revised.tar
          57 kB
        5. testcase.zip
          9 kB

        Issue Links

          Activity

            People

              yfang@redhat.com Freeman(Yue) Fang
              rhn-support-qluo Joe Luo
              Vratislav Hais Vratislav Hais
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: