Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: secure processing of document transformation to prevent XSLT injection #400

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix: secure processing of document transformation to prevent XSLT injection #400

wants to merge 1 commit into from

Conversation

rng70-or
Copy link

Motivation

In file: Configuration.java, there is a method updateConfigFile that transforms documents that come from an external source without proper validation and also there is a method createConfigProperty that transforms documents that come from an external source without proper validation. This may allow an attacker to execute malicious code or read sensitive file. To prevent/minimize the overall impact, when processing to any type of document secure processing should be enabled

    secureFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    secureFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
    secureFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

Sponsorship and Support

This work is done by the security researchers from OpenRefactory and is supported by the Open Source Security Foundation (OpenSSF): Project Alpha-Omega. Alpha-Omega is a project partnering with open source software project maintainers to systematically find new, as-yet-undiscovered vulnerabilities in open source code - and get them fixed – to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by OpenRefactory and then manually triaging the results.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rng70-or