We have RestEasy deployed end points in production. We are able to call the RestEasy end point by submitting the following ( as an example)
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<search><user>&xxe;</user></search>
If we submit the above to a web service built on RestEasy, we can see the contents of /etc/passwd.
This presents a well-documented security issue - XXE (XML eXternal Entity Attack)
If we use SAX directly, we can instruct a parser not to read the external DTD subset by setting the http://xml.org/sax/features/external-general-entities and http://xml.org/sax/features/external-parameter-entities features to false.
For example:
parser.setFeature("http://xml.org/sax/features/external-general-entities", false);
parser.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
We can also accomplish the same using a custom entity resolver when using the parsers directly.
How do we accomplish the same using RestEasy?
From the documentation, it seems that we would have to write a custom MessageBodyReader, where we actually check for any of these doctype declarations before allowing the call to the proceed to the actual end point.
Jersey also had a similar problem, which seems to have been addressed
http://java.net/jira/browse/JERSEY-323
- clones
-
RESTEASY-647 RestEasy and XXE injection - Services that accept XML are vulnerable to XXE attacks, Part II
-
- Closed
-
