Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-12894

[camel-xslt] Unable to disable external entity injection to prevent XXE attack-Karaf

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: fuse-7.5-GA
    • Fix Version/s: fuse-7.7-GA
    • Component/s: Camel, Fuse Standalone
    • Labels:
      None
    • Prod build version:
      fuse-7.7-build1
    • QE Test Coverage:
      +

      Description

      Camel-XSLT component TransformerFactory uses "net.sf.saxon.TransformerFactoryImpl" transformer factory implementation by default, if relevant Saxon library can be found on classpath.

      For a XSL stylesheet like:

      <!DOCTYPE sample [<!ENTITY ext_file SYSTEM "file:///etc/passwd">]>
      <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
      	<xsl:output method="text" omit-xml-declaration="yes"/>
      	<xsl:template match="/">
      	&ext_file;
      	</xsl:template>
      </xsl:stylesheet>
      

      Camel-XSLT route using the "net.sf.saxon.TransformerFactoryImpl" will access and download content of the external file "/etc/passwd" and it results XXE attack.

      It is possible to use "om.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl" by setting

      -Djavax.xml.transform.TransformerFactory=
      com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
      

      in this case, the camel-xslt route will throw an exception instead:

      org.xml.sax.SAXParseException: External Entity: Failed to read external document 'passwd', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.
      

      However, there is no way to achieve the same when using "net.sf.saxon.TransformerFactoryImpl".

      The Apache Xalan only supports XSLT 1.0 while Saxon supports higher version XSLT version. Therefore, we will need a way to disable external file access when using Saxon.

        Attachments

        1. camel-core-2.21.0.fuse-750033-redhat-00001.jar
          4.60 MB
        2. camel-core-2.21.0.fuse-750033-redhat-00001.jar
          4.60 MB
        3. new-revised.tar
          58 kB
        4. revised.tar
          57 kB
        5. testcase.zip
          9 kB

          Issue Links

            Activity

              People

              Assignee:
              ffang Freeman(Yue) Fang
              Reporter:
              joe.luo Joe Luo
              Tester:
              Vratislav Hais Vratislav Hais
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: