camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Müller (JIRA) <j...@apache.org>
Subject [jira] [Updated] (CAMEL-8312) XML External Entity (XXE) issue in XPath
Date Tue, 03 Mar 2015 20:56:06 GMT

     [ https://issues.apache.org/jira/browse/CAMEL-8312?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Christian Müller updated CAMEL-8312:
------------------------------------
    Description: If the documentType of an XPath expression is set to a class for that no
type converter exists and the data to which the expression is applied is of type WrappedFile
or String the XPath will seem to work anyway. However this setup will create issues by using
an InputSource created from the String or Generic file.  (was: If the documentType of an XPath
expression is set to a class for that no type converter exists and the data to which the expression
is applied is of type WrappedFile or String the XPath will seem to work anyway. However this
setup will make the scenario susceptible to XXE injection attacks (because the InputSource
created from the String or Generic file will be parsed by a default parser within the XPath
evaluation and the XXE will succeed.

Even worse, if the documentType is Document (the default) and the DOM parsing fails because
the document is invalid and contains an XXE injection this will allow DOS attacks on the system.

The two unit tests contained in the patch show these two use cases (and throw a FileNotFoundException
on an unchanged XPath builder).

As a side effect the Exception in the XPathFeatureTest.testXPath changes (because initially
there are errors during type conversion and during XPath evaluation whereas after the patch
processing is stopped after the type conversion error).)

> XML External Entity (XXE) issue in XPath
> ----------------------------------------
>
>                 Key: CAMEL-8312
>                 URL: https://issues.apache.org/jira/browse/CAMEL-8312
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-core
>    Affects Versions: 2.13.3, 2.14.1
>            Reporter: Stephan Siano
>            Assignee: Claus Ibsen
>             Fix For: 2.13.4, 2.14.3, 2.15.0
>
>
> If the documentType of an XPath expression is set to a class for that no type converter
exists and the data to which the expression is applied is of type WrappedFile or String the
XPath will seem to work anyway. However this setup will create issues by using an InputSource
created from the String or Generic file.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message