Hi Nico,
I’ve pasted my reply from May 3 below, in case it was missed. From my perspective, that should address the issue - please let me know if you see it differently.
Best regards, Gunther
Gesendet: Samstag, 3. Mai 2025 um 01:19 Von: "Gunther Rademacher" grd@gmx.net An: nverwer@rakensi.com, basex-talk@mailman.uni-konstanz.de
Betreff: Re: [basex-talk] Security problem in 11.9?
Hi Nico,
what you describe is the expected behaviour. Please be aware of the recent changes of fn:doc (and also fn:parse-xml) that were made in 11.9.
These functions now support options to control the access of external entities, in particular
- allow-external-entities: whether external entities are permitted (true) or rejected (false), default true - dtd: whether external entities are processed (true) or ignored (false), default true.In fact option dtd is not completely new, but previously its value was taken from the context option DTD, which defaults to false. So with 11.8, you could produce the same directory listing, that you experienced with 11.9, by running this on the document that you provided:
basex -ODTD=yes "doc('doc.xml')"Now the options can be supplied per function call, they are independent of the context options, and the defaults are different. To restore the result that you were used to with 11.9, you need to run:
basex "doc('doc.xml', { 'dtd': false() })"You can now also run this in order to reject any external entity references:
basex "doc('doc.xml', { 'allow-external-entities': false() })"The changes were made to implement the XQuery 4.0 specification of these functions:
https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-doc https://qt4cg.org/specifications/xpath-functions-40/Overview.html#func-parse-xmlThis is also described here:
https://docs.basex.org/12/Standard_Functions#fn:doc https://docs.basex.org/12/Standard_Functions#fn:parse-xmlBest regards, Gunther
Gesendet: Donnerstag, 3. Juli 2025 um 13:39 Von: nverwer@rakensi.com An: basex-talk@mailman.uni-konstanz.de Betreff: [basex-talk] Re: Security problem in 11.9?
The issue in my message from 2 May still exists in BaseX 12.
The issue had to do with the following document:
<!DOCTYPE foo [ <!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///" >
]> <foo>&xxe;</foo>
This returns a document with a listing of the root of my file system. From there, I can enter sub-directories and extract files. This is a well-known external entity injection [https://portswigger.net/web-security/xxe#exploiting-xxe-to-retrieve-files]. This is present in both the standard and the internal parser. Currently, I can prevent this by running BaseX as a user with few permissions, but it would be better to be able to prevent this kind of entity expansion.
For my application, I need to process files sent by external users. And before that, I need to pass the security checks that my client performs.
Is this considered by other BaseX users to be a vulnerability? Why was it not present in BaseX 11.8? How (if at all) can it be solved?