Forwarding/replying to the list, since I'm officially Bad At Email.

On Wed, Mar 14, 2018 at 11:56 AM, Bridger Dyson-Smith <bdysonsmith@gmail.com> wrote:
Hi Fabrice -

On Wed, Mar 14, 2018 at 11:28 AM, Fabrice ETANCHAUD <fetanchaud@pch.cerfrance.fr> wrote:

Hello,

 

I found this MarkLogic post interesting,

So I forward it to the BaseX users.

I do not remember loading data I did not trust, but did somebody experience this kind of issue ?


I certainly haven't :) but clearly Christian, et al, have considered something similar to this. The INTPARSE[1] option let's you use an internal parser, instead of the standard Java parser.  There are options in the BaseX GUI to use the INTPARSE *and* expand entities from DTDs, but I don't know if those switches are available in the Options.

 

Best regards,

Fabrice Etanchaud

 


Hope that sheds some light on this. I tried the MarkLogic example using the INTPARSE (and no DTDs/entity parsing) and created a database that contains `<foo/>` :).

And on an additional test, again using the BaseX GUI, using the default Java Parser (both with and without the 'Parse DTDs and entities' option selected), databases were created that expanded the entity and inserted
<foo>
  <thing>
    <one>ONE</one>
  </thing>
</foo>
into the db.
 
Best,
So... untrusted input? INTPARSE is your friend - unless you need to expand custom entities.

Bridger
 
 

De : general-bounces@developer.marklogic.com [mailto:general-bounces@developer.marklogic.com] De la part de Marcel de Kleine
Envoyé : mercredi 14 mars 2018 13:43
À : general@developer.marklogic.com
Objet : [MarkLogic Dev General] Marklogic XXE and XML Bomb prevention

 

Hello,

 

We have noticed Marklogic is vulnerable to xxe (entity expansion) and xml bomb attacks. When loading an malicious document using xdmp:document-insert it won’t catch these and cause either loading of unwanted external documents (xxe) and lockup of the system (xml bomb).

 

For example, if I load this document :

<?xml version="1.0" encoding="ISO-8859-1"?>

<!DOCTYPE foo [ 

   <!ELEMENT foo ANY >

   <!ENTITY xxe SYSTEM "file:///c:/text.xml" >]>

<foo>&xxe;</foo>

 

The file test.xml gets nicely added to the xml document.

 

See OWASP and others for examples.

 

This is clearly a xml processing issue so the question is : can we disable this? And if so, on what levels would this be possible. Best should be system-wide.

( And if you cannot disable this, I think this is something ML should address immediately.

 

Thank you in advance,

Marcel de Kleine, EPAM

 

Marcel de Kleine

Senior Software Engineer

 

Office: +31 20 241 6134 x 30530   Cell: +31 6 14806016   Email: marcel_de_kleine@epam.com

Delft, Netherlands   epam.com

 

CONFIDENTIALITY CAUTION AND DISCLAIMER
This message is intended only for the use of the individual(s) or entity(ies) to which it is addressed and contains information that is legally privileged and confidential. If you are not the intended recipient, or the person responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. All unintended recipients are obliged to delete this message and destroy any printed copies.