Merge pull request #1 from restlet/block_expansion_of_entities

Block entities expansion that leads to reveal local file system data.

Author: thboileau

.classpath

@@ -1,8 +1,27 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <classpath>
-	<classpathentry kind="src" output="target/classes" path="src/main/java"/>
-	<classpathentry kind="src" output="target/test-classes" path="src/test/java"/>
-	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/J2SE-1.5"/>
-	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER"/>
+	<classpathentry kind="src" output="target/classes" path="src/main/java">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="src" path="src/test/resources"/>
+	<classpathentry kind="src" output="target/test-classes" path="src/test/java">
+		<attributes>
+			<attribute name="optional" value="true"/>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER/org.eclipse.jdt.internal.debug.ui.launcher.StandardVMType/J2SE-1.5">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
+	<classpathentry kind="con" path="org.eclipse.m2e.MAVEN2_CLASSPATH_CONTAINER">
+		<attributes>
+			<attribute name="maven.pomderived" value="true"/>
+		</attributes>
+	</classpathentry>
 	<classpathentry kind="output" path="target/classes"/>
 </classpath>

.gitignore

@@ -0,0 +1,3 @@
+/target
+/.settings
+

pom.xml

@@ -1,10 +1,10 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
 	<modelVersion>4.0.0</modelVersion>
-	<groupId>org.simpleframework</groupId>
-	<artifactId>simple-xml</artifactId>
+	<groupId>org.restlet.lib</groupId>
+	<artifactId>org.simpleframework.simple-xml</artifactId>
 	<packaging>jar</packaging>
-	<version>2.7.1</version>
+	<version>2.7.2</version>
 	<name>Simple XML</name>
 	<url>http://simple.sourceforge.net</url>
 	<description>Simple is a high performance XML serialization and configuration framework for Java</description>
@@ -36,7 +36,7 @@
 		<dependency>
 			<groupId>junit</groupId>
 			<artifactId>junit</artifactId>
-			<version>3.8.1</version>
+			<version>4.12</version>
 			<scope>test</scope>
 		</dependency>
 		<dependency>

src/main/java/org/simpleframework/xml/stream/DocumentProvider.java

@@ -18,14 +18,16 @@
 
 package org.simpleframework.xml.stream;
 
+import java.io.IOException;
 import java.io.InputStream;
 import java.io.Reader;
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 
-import org.w3c.dom.Document;
 import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
 
 /**
  * The <code>DocumentProvider</code> object is used to provide event
@@ -54,6 +56,41 @@ class DocumentProvider implements Provider {
    public DocumentProvider() {
       this.factory = DocumentBuilderFactory.newInstance();
       this.factory.setNamespaceAware(true);
+
+        // Security issue: block entities expansion that can lead to expose local files
+        // cf https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java
+        String FEATURE = null;
+        try {
+            // This is the PRIMARY defense. If DTDs (doctypes) are disallowed, almost all XML entity attacks are prevented
+            // Xerces 2 only - http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
+            FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+            factory.setFeature(FEATURE, true);
+
+            // If you can't completely disable DTDs, then at least do the following:
+            // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
+            // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
+            // JDK7+ - http://xml.org/sax/features/external-general-entities
+            FEATURE = "http://xml.org/sax/features/external-general-entities";
+            factory.setFeature(FEATURE, false);
+
+            // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
+            // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
+            // JDK7+ - http://xml.org/sax/features/external-parameter-entities
+            FEATURE = "http://xml.org/sax/features/external-parameter-entities";
+            factory.setFeature(FEATURE, false);
+
+            // Disable external DTDs as well
+            FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+            factory.setFeature(FEATURE, false);
+
+            // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks"
+            factory.setXIncludeAware(false);
+            factory.setExpandEntityReferences(false);
+        } catch (ParserConfigurationException e) {
+            throw new RuntimeException("ParserConfigurationException was thrown. The feature '" + FEATURE
+                    + "' is probably not supported by your XML processor.", e);
+        }
+
    }
 
    /**
@@ -93,9 +130,16 @@ public EventReader provide(Reader source) throws Exception {
     * @return this is used to return the event reader implementation
     */
    private EventReader provide(InputSource source) throws Exception {
-      DocumentBuilder builder = factory.newDocumentBuilder();       
-      Document document = builder.parse(source);
-      
-      return new DocumentReader(document);   
-   }
+      DocumentBuilder builder = factory.newDocumentBuilder();
+
+        try {
+            return new DocumentReader(builder.parse(source));
+        } catch (SAXException e) {
+            // On Apache, this should be thrown when disallowing DOCTYPE
+            throw new RuntimeException("A DOCTYPE was passed into the XML document, and this is blocked on purpose due to security issues", e);
+        } catch (IOException e) {
+            // XXE that points to a file that doesn't exist
+            throw new RuntimeException("IOException occurred, XXE may still possible", e);
+        }
+    }
 }

src/main/java/org/simpleframework/xml/stream/PullProvider.java

@@ -21,6 +21,9 @@
 import java.io.InputStream;
 import java.io.Reader;
 
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.stream.XMLInputFactory;
+
 import org.xmlpull.v1.XmlPullParser;
 import org.xmlpull.v1.XmlPullParserFactory;
 
@@ -50,6 +53,8 @@ class PullProvider implements Provider {
    public PullProvider() throws Exception {
       this.factory = XmlPullParserFactory.newInstance();
       this.factory.setNamespaceAware(true);
+      // Security issue: block entities expansion that can lead to expose local files
+      this.factory.setFeature(XmlPullParser.FEATURE_PROCESS_DOCDECL, false);
    }
 
    /**

src/main/java/org/simpleframework/xml/stream/StreamProvider.java

@@ -50,6 +50,8 @@ class StreamProvider implements Provider {
     */
    public StreamProvider() {
       this.factory = XMLInputFactory.newInstance();
+      // Security issue: block entities expansion that can lead to expose local files
+      this.factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
    }
 
    /**

src/test/java/org/simpleframework/xml/stream/XxeSecurityTest.java

@@ -0,0 +1,64 @@
+package org.simpleframework.xml.stream;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.simpleframework.xml.Element;
+import org.simpleframework.xml.Root;
+import org.simpleframework.xml.Serializer;
+import org.simpleframework.xml.core.Persister;
+import org.simpleframework.xml.core.ValueRequiredException;
+import org.xmlpull.v1.XmlPullParserException;
+
+public class XxeSecurityTest {
+
+    @Test
+    public void when_using_general_persister_should_fail() throws Exception {
+        Serializer serializer = new Persister();
+
+        try {
+            serializer.read(MyObject.class, XxeSecurityTest.class.getResourceAsStream("xxeSecurityTest.xml"));
+            Assert.fail("An exception should be thrown");
+        } catch (Exception e) {
+            // fine, test is ok
+        }
+    }
+
+    @Test(expected = ValueRequiredException.class)
+    public void when_using_streamProvider_should_fail() throws Exception {
+        checkProvider(new StreamProvider());
+    }
+
+    @Test(expected = XmlPullParserException.class)
+    public void when_using_pullProvider_should_fail() throws Exception {
+        checkProvider(new PullProvider());
+    }
+
+    @Test(expected = RuntimeException.class)
+    public void when_using_documentProvider_should_fail() throws Exception {
+        checkProvider(new DocumentProvider());
+    }
+
+    private void checkProvider(Provider provider) throws Exception {
+        Serializer serializer = new Persister();
+
+        EventReader eventReader = provider.provide(XxeSecurityTest.class.getResourceAsStream("xxeSecurityTest.xml"));
+        InputNode inputNode = new NodeReader(eventReader).readRoot();
+
+        serializer.read(MyObject.class, inputNode);
+    }
+
+    @Root
+    public static class MyObject {
+
+        @Element
+        public String message;
+
+        public MyObject() {
+            this.message = "aaa";
+        }
+
+        public MyObject(String message) {
+            this.message = message;
+        }
+    }
+}

src/test/resources/org/simpleframework/xml/stream/xxeSecurityTest.xml

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE bbb [<!ELEMENT foo ANY>
+   <!ENTITY xxe SYSTEM "file:///etc" > 
+]>
+<myObject><message>&xxe;</message></myObject>