camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Müller (JIRA) <>
Subject [jira] [Updated] (CAMEL-8312) XML External Entity (XXE) issue in XPath
Date Tue, 03 Mar 2015 20:51:05 GMT


Christian Müller updated CAMEL-8312:
    Summary: XML External Entity (XXE) issue in XPath  (was: XML External Entity (XXE) injection
in XPath)

> XML External Entity (XXE) issue in XPath
> ----------------------------------------
>                 Key: CAMEL-8312
>                 URL:
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-core
>    Affects Versions: 2.13.3, 2.14.1
>            Reporter: Stephan Siano
>            Assignee: Claus Ibsen
>             Fix For: 2.13.4, 2.14.3, 2.15.0
>         Attachments: 0001-CAMEL-8312-XXE-vulnerability-in-XPath-evaluator.patch
> If the documentType of an XPath expression is set to a class for that no type converter
exists and the data to which the expression is applied is of type WrappedFile or String the
XPath will seem to work anyway. However this setup will make the scenario susceptible to XXE
injection attacks (because the InputSource created from the String or Generic file will be
parsed by a default parser within the XPath evaluation and the XXE will succeed.
> Even worse, if the documentType is Document (the default) and the DOM parsing fails because
the document is invalid and contains an XXE injection this will allow DOS attacks on the system.
> The two unit tests contained in the patch show these two use cases (and throw a FileNotFoundException
on an unchanged XPath builder).
> As a side effect the Exception in the XPathFeatureTest.testXPath changes (because initially
there are errors during type conversion and during XPath evaluation whereas after the patch
processing is stopped after the type conversion error).

This message was sent by Atlassian JIRA

View raw message