Uploaded image for project: 'RESTEasy'
  1. RESTEasy
  2. RESTEASY-637

RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 2.3.1
    • 2.2.2.GA
    • jaxrs
    • None
    • Medium

      We have RestEasy deployed end points in production. We are able to call the RestEasy end point by submitting the following ( as an example)

      <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
      <search><user>&xxe;</user></search>

      If we submit the above to a web service built on RestEasy, we can see the contents of /etc/passwd.

      This presents a well-documented security issue - XXE (XML eXternal Entity Attack)

      If we use SAX directly, we can instruct a parser not to read the external DTD subset by setting the http://xml.org/sax/features/external-general-entities and http://xml.org/sax/features/external-parameter-entities features to false.

      For example:
      parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
      parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

      We can also accomplish the same using a custom entity resolver when using the parsers directly.

      How do we accomplish the same using RestEasy?

      From the documentation, it seems that we would have to write a custom MessageBodyReader, where we actually check for any of these doctype declarations before allowing the call to the proceed to the actual end point.

      Jersey also had a similar problem, which seems to have been addressed
      http://java.net/jira/browse/JERSEY-323

        1. TestXXE.java
          4 kB
        2. testpasswd
          0.0 kB
        3. resteasy-jaxrs-2.3.2.Final-sources.jar
          337 kB
        4. resteasy-jaxrs-2.3.2.Final.jar
          585 kB
        5. resteasy-jaxrs-2.2.3.GA.jar
          565 kB

              rsigal@redhat.com Ronald Sigal
              adkathuria_jira anuj kathuria (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: