Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-14091

[camel-xslt] Unable to disable external entity injection to prevent XXE attack-SB2

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Duplicate Issue
    • Affects Version/s: fuse-7.5-GA
    • Fix Version/s: None
    • Labels:
      None

      Description

      Camel-XSLT component TransformerFactory uses "net.sf.saxon.TransformerFactoryImpl" transformer factory implementation by default, if relevant Saxon library can be found on classpath.

      For a XSL stylesheet like:

      <!DOCTYPE sample [<!ENTITY ext_file SYSTEM "file:///etc/passwd">]>
      <xsl:stylesheet version="2.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
      	<xsl:output method="text" omit-xml-declaration="yes"/>
      	<xsl:template match="/">
      	&ext_file;
      	</xsl:template>
      </xsl:stylesheet>
      

      Camel-XSLT route using the "net.sf.saxon.TransformerFactoryImpl" will access and download content of the external file "/etc/passwd" and it results XXE attack.

      It is possible to use "om.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl" by setting

      -Djavax.xml.transform.TransformerFactory=
      com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl
      

      in this case, the camel-xslt route will throw an exception instead:

      org.xml.sax.SAXParseException: External Entity: Failed to read external document 'passwd', because 'file' access is not allowed due to restriction set by the accessExternalDTD property.
      

      However, there is no way to achieve the same when using "net.sf.saxon.TransformerFactoryImpl".

      The Apache Xalan only supports XSLT 1.0 while Saxon supports higher version XSLT version. Therefore, we will need a way to disable external file access when using Saxon.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ffang Freeman(Yue) Fang
              Reporter:
              ffang Freeman(Yue) Fang
              Tester:
              Vratislav Hais Vratislav Hais
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: