SAXParserFactory doesn't disable XML entity expansion

[jerseyrobot]

The DocumentBuilderFactory and XmlInputFactory providers aren't vulnerable to Billion Laughs attacks (exponential entity expansion) by disabling entity expansion altogether.

But the SAXParserFactory provider is only disabling external entities, and it's possible to use the following input to generate a very high memory consumption (specially if the application using it allows parallel requests):

<?xml version="1.0" encoding="UTF-8"?> 
<!DOCTYPE lolz [
  <!ENTITY lol "lollollollollollollol[...]">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
]>
<Quote> 
<fName>FIRST NAME &lol6;</fName> 
</Quote>

There is I actually a limit, but very high (like 100000 I think, and couldn't configure it with the entityExpansionLimit JDK property). If it doesn't work try removing the last level of recursion. Even if the depth is limited, there is no maximum for the expanded size so adding a few kilobytes to the entity text would make the attack successful.

Check disallow-doctype-decl feature in this example:
https://gist.github.com/asudhakar02/45e2e6fd8bcdfb4bc3b2

Affected Versions

[2.24]

[jerseyrobot]

@glassfishrobot Commented
Reported by alepulver

[jerseyrobot]

@glassfishrobot Commented
jkharness87 said:
The default appears to be 64,000 (as of JAXP 1.4):

https://docs.oracle.com/javase/tutorial/jaxp/limits/limits.html
https://jaxp.java.net/1.4/JAXP-Compatibility.html#JAXP_security

Setting the following system property would greatly limit the impact of the issue you raise (setting to 0 makes it unlimited, which you wouldn't want):

jdk.xml.entityExpansionLimit=1

I agree, though. It would be helpful to disable entity expansion altogether for systems that don't require it. More generally speaking, it'd be nice to offer control over all the configuration options as recommended by OWASP:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#Java

[jerseyrobot]

@glassfishrobot Commented
This issue was imported from java.net JIRA JERSEY-3174

[jerseyrobot]

@kiranmn Commented
When is this issue going to be fixed?

The system property jdk.xml.entityExpansionLimit=1 does that work?

[jerseyrobot]

• Issue Imported From: https://github.com/jersey/jersey/issues/3446
• Original Issue Raised By:@glassfishrobot
• Original Issue Assigned To: @mpotociar

[rwalkerands]

There is also the system property jdk.xml.totalEntitySizeLimit. It would be nice to be able to set this for incoming message bodies.

[gjoseph]

Hi there,

For some reason, this issue has started being reported as a vulnerability by SourceClear - https://www.sourceclear.com/vulnerability-database/security/xml-entity-expansion-xee-/java/sid-3606 - with no CVE, however.

Is there a documented workaround, or possibly a patch that sets some better/safer defaults on the parser? Is PR#4472 doing that? If so, is that available in a particular Jersey release yet?

edit: it looks like it is included in 2.31 indeed.