xxe #20
Comments
|
Internal ticket reference: CSAFE-54086 |
|
@360CodeSafe how are you analysing the code? I see an issue within XmlUtils.java which needs patched and the related classes which use it. However parseRegionMetadata & parseXmlInputStream are more difficult to determine |
|
We use the internal static code auditing tool (Qianxin Code Guardian) to do static code analysis and then manually review it. The following is the data flow of our engine analysis: Because I don’t know much about the project, whether the input point is controlled by the attacker needs the developer’s own judgment. |
|
@QiAnXinCodeSafe this issue has been resolved in the latest release of the SDK, version 2.5.0. Please review and let us know if this issue can be closed. |
HI!
I found that there are many places in ibm-cos-sdk-java that handle xml without disabling xml external entities, which may lead to xml external entity injection vulnerability.Take XmlUtil.java as an example:
The same problem still exists elsewhere:
parseRegionMetadata.java lline 118 ;
XpathUtils.java line 116;
parseXmlInputStream.java line 142;
The text was updated successfully, but these errors were encountered: