Headline
CVE-2022-0265: Add helper method to XmlUtil to enable XXE protection in the SAXParse… · hazelcast/hazelcast@4d6b666
Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast prior to 5.1.
@@ -25,6 +25,8 @@ import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParserFactory; import javax.xml.stream.XMLInputFactory; import javax.xml.transform.ErrorListener; import javax.xml.transform.OutputKeys; import javax.xml.transform.Source; @@ -41,7 +43,10 @@ import com.hazelcast.logging.Logger;
/** * Utility class for XML processing. * Utility class for XML processing. It contains several methods to retrieve XML processing factories with XXE protection * enabled (based on recommendation in the * <a href="https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html">OWASP XXE prevention * cheat-sheet</a>). */ public final class XmlUtil {
@@ -55,6 +60,7 @@ */ public static final String SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES = “hazelcast.ignoreXxeProtectionFailures";
private static final String FEATURES_DISALLOW_DOCTYPE = “http://apache.org/xml/features/disallow-doctype-decl"; private static final ILogger LOGGER = Logger.getLogger(XmlUtil.class);
private XmlUtil() { @@ -68,7 +74,7 @@ private XmlUtil() { public static DocumentBuilderFactory getNsAwareDocumentBuilderFactory() throws ParserConfigurationException { DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); dbf.setNamespaceAware(true); setFeature(dbf, “http://apache.org/xml/features/disallow-doctype-decl”); setFeature(dbf, FEATURES_DISALLOW_DOCTYPE); return dbf; }
@@ -92,6 +98,24 @@ public static SchemaFactory getSchemaFactory() throws SAXException { return schemaFactory; }
/** * Returns {@link SAXParserFactory} with XXE protection enabled. */ public static SAXParserFactory getSAXParserFactory() throws ParserConfigurationException, SAXException { SAXParserFactory factory = SAXParserFactory.newInstance(); setFeature(factory, FEATURES_DISALLOW_DOCTYPE); return factory; }
/** * Returns {@link XMLInputFactory} with XXE protection enabled. */ public static XMLInputFactory getXMLInputFactory() { XMLInputFactory xmlInputFactory = XMLInputFactory.newInstance(); setProperty(xmlInputFactory, XMLInputFactory.SUPPORT_DTD, false); return xmlInputFactory; }
/** * Formats given XML String with the given indentation used. If the {@code input} XML string is {@code null}, or * {@code indent} parameter is negative, or XML transformation fails, then the original value is returned unchanged. The @@ -166,62 +190,63 @@ static void setAttribute(TransformerFactory transformerFactory, String attribute try { transformerFactory.setAttribute(attributeName, “”); } catch (IllegalArgumentException iae) { if (Boolean.getBoolean(SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES)) { LOGGER.warning(“Enabling XXE protection failed. The attribute " + attributeName + " is not supported by the TransformerFactory. The " + SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES + " system property is used so the XML processing continues in the UNSECURE mode” + " with XXE protection disabled!!!”); } else { LOGGER.severe(“Enabling XXE protection failed. The attribute " + attributeName + " is not supported by the TransformerFactory. This usually mean an outdated XML processor” + " is present on the classpath (e.g. Xerces, Xalan). If you are not able to resolve the issue by” + " fixing the classpath, the " + SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES + " system property can be used to disable XML External Entity protections." + " We don’t recommend disabling the XXE as such the XML processor configuration is unsecure!!!", iae); throw iae; } printWarningAndRethrowEventually(iae, TransformerFactory.class, “attribute " + attributeName); } }
static void setFeature(DocumentBuilderFactory dbf, String featureName) throws ParserConfigurationException { try { dbf.setFeature(featureName, true); } catch (ParserConfigurationException e) { if (Boolean.getBoolean(SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES)) { LOGGER.warning(“Enabling XXE protection failed. The feature " + featureName + " is not supported by the DocumentBuilderFactory. The " + SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES + " system property is used so the XML processing continues in the UNSECURE mode” + " with XXE protection disabled!!!”); } else { LOGGER.severe(“Enabling XXE protection failed. The feature " + featureName + " is not supported by the DocumentBuilderFactory. This usually mean an outdated XML processor” + " is present on the classpath (e.g. Xerces, Xalan). If you are not able to resolve the issue by" + " fixing the classpath, the " + SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES + " system property can be used to disable XML External Entity protections." + " We don’t recommend disabling the XXE as such the XML processor configuration is unsecure!!!", e); throw e; } printWarningAndRethrowEventually(e, DocumentBuilderFactory.class, “feature " + featureName); } }
static void setFeature(SAXParserFactory saxParserFactory, String featureName) throws ParserConfigurationException, SAXException { try { saxParserFactory.setFeature(featureName, true); } catch (SAXException e) { printWarningAndRethrowEventually(e, SAXParserFactory.class, “feature " + featureName); } catch (ParserConfigurationException e) { printWarningAndRethrowEventually(e, SAXParserFactory.class, “feature " + featureName); } }
static void setProperty(SchemaFactory schemaFactory, String propertyName) throws SAXException { try { schemaFactory.setProperty(propertyName, “”); } catch (SAXException e) { if (Boolean.getBoolean(SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES)) { LOGGER.warning(“Enabling XXE protection failed. The property " + propertyName + " is not supported by the SchemaFactory. The " + SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES + " system property is used so the XML processing continues in the UNSECURE mode” + " with XXE protection disabled!!!”); } else { LOGGER.severe(“Enabling XXE protection failed. The property " + propertyName + " is not supported by the SchemaFactory. This usually mean an outdated XML processor” + " is present on the classpath (e.g. Xerces, Xalan). If you are not able to resolve the issue by” + " fixing the classpath, the " + SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES + " system property can be used to disable XML External Entity protections.” + " We don’t recommend disabling the XXE as such the XML processor configuration is unsecure!!!", e); throw e; } printWarningAndRethrowEventually(e, SchemaFactory.class, "property " + propertyName); } }
static void setProperty(XMLInputFactory xmlInputFactory, String propertyName, Object value) { try { xmlInputFactory.setProperty(propertyName, value); } catch (IllegalArgumentException e) { printWarningAndRethrowEventually(e, XMLInputFactory.class, “property " + propertyName); } }
private static <T extends Exception> void printWarningAndRethrowEventually(T cause, Class<?> clazz, String objective) throws T { String className = clazz.getSimpleName(); if (Boolean.getBoolean(SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES)) { LOGGER.warning(“Enabling XXE protection failed. The " + objective + " is not supported by the " + className + “. The " + SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES + " system property is used so the XML processing continues in the UNSECURE mode” + " with XXE protection disabled!!!”); } else { LOGGER.severe( “Enabling XXE protection failed. The " + objective + " is not supported by the " + className + “. This usually mean an outdated XML processor” + " is present on the classpath (e.g. Xerces, Xalan). If you are not able to resolve the issue by” + " fixing the classpath, the " + SYSTEM_PROPERTY_IGNORE_XXE_PROTECTION_FAILURES + " system property can be used to disable XML External Entity protections.” + " We don’t recommend disabling the XXE as such the XML processor configuration is unsecure!", cause); throw cause; } }