Details
-
Enhancement
-
Resolution: Done
-
Major
-
1.5.3.Final
-
None
Description
As discussed on Zulip multiple modules inside WildFly-Core, WildFly and maybe other components shall prevent from XXE. Currently some codepoints use a native javax.xml.parsers.DocumentBuilderFactory or javax.xml.stream.XMLInputFactory. Restriction of XML External Entity Reference is lacking.
Fix:
- Provide factories setting secure defaults (here)
- Use the new factories at relevant places WFCORE-5594
Related to:
- https://owasp.org/Top10/A05_2021-Security_Misconfiguration/
- https://docs.oracle.com/en/java/javase/13/security/java-api-xml-processing-jaxp-security-guide.html#GUID-3FB69003-1E4A-435C-B519-4B9D07630460
The approach is to try to set/activate the relevant properties and log a warning if the underlying Factory does not support the property. The log shall appear only once (per classloader).
Attachments
Issue Links
- is related to
-
WFCOM-70 Additional XML Factories with Restriction of XXE
- Pull Request Sent