camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephan Siano (JIRA)" <>
Subject [jira] [Updated] (CAMEL-8312) XML External Entity (XXE) injection in XPath
Date Wed, 04 Feb 2015 10:31:34 GMT


Stephan Siano updated CAMEL-8312:
    Attachment: 0001-CAMEL-8312-XXE-vulnerability-in-XPath-evaluator.patch

> XML External Entity (XXE) injection in XPath
> --------------------------------------------
>                 Key: CAMEL-8312
>                 URL:
>             Project: Camel
>          Issue Type: Bug
>          Components: camel-core
>    Affects Versions: 2.13.3, 2.14.1
>            Reporter: Stephan Siano
>            Assignee: Willem Jiang
>         Attachments: 0001-CAMEL-8312-XXE-vulnerability-in-XPath-evaluator.patch
> If the documentType of an XPath expression is set to a class for that no type converter
exists and the data to which the expression is applied is of type WrappedFile or String the
XPath will seem to work anyway. However this setup will make the scenario susceptible to XXE
injection attacks (because the InputSource created from the String or Generic file will be
parsed by a default parser within the XPath evaluation and the XXE will succeed.
> Even worse, if the documentType is Document (the default) and the DOM parsing fails because
the document is invalid and contains an XXE injection this will allow DOS attacks on the system.
> The two unit tests contained in the patch show these two use cases (and throw a FileNotFoundException
on an unchanged XPath builder).
> As a side effect the Exception in the XPathFeatureTest.testXPath changes (because initially
there are errors during type conversion and during XPath evaluation whereas after the patch
processing is stopped after the type conversion error).

This message was sent by Atlassian JIRA

View raw message