Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Vulnerability - Action Required: XXE vulnerability in the newest version of the gpmall #225

Open
Crispy-fried-chicken opened this issue Jan 30, 2024 · 2 comments

Comments

@Crispy-fried-chicken
Copy link

Crispy-fried-chicken commented Jan 30, 2024

I think the your project may be vulnerable to Improper Restriction of XML External Entity Reference. It shares similarities to a recent CVE disclosure CVE-2021-3878 in the stanfordnlp/CoreNLP. The vulnerable methods are as follows:

  1. com.gpmall.pay.biz.payment.channel.wechatpay.WeChatBuildRequest.doXMLParse(String xml) in the file pay-service/pay-provider/src/main/java/com/gpmall/pay/biz/payment/channel/wechatpay/WeChatBuildRequest.java.

The source vulnerability information is as follows:

Vulnerability Detail:
CVE Identifier: CVE-2021-3878
Description: corenlp is vulnerable to Improper Restriction of XML External Entity Reference
Reference:https://nvd.nist.gov/vuln/detail/CVE-2021-3878.
Patch: stanfordnlp/CoreNLP@e5bbe13.

Vulnerability Description:
This vulnerability occurs because of the Improper Restriction of XML External Entity Reference. Given that the XML schema files which is compromised by a hacker, the victim conducts regular process may result in an XML External Entity (XXE) Injection attack.

Recommended Actions:
The corresponding fixes are similar to CVE-2021-3878 to some extent. I have provided the following fixes by applying several patching statements, ensuring that the external entities and DTDs are not loaded when parsing and processing XML documents using the document builder. You can call the function safeDocumentBuilderFactory I defined below instead of directly calling DocumentBuilderFactory.newInstance() to create a DocumentBuilderFactory object to avoid XXE attacks.

  public static DocumentBuilderFactory safeDocumentBuilderFactory() {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    try {
      dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
      dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
      dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
      dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
      dbf.setFeature("http://apache.org/xml/features/dom/create-entity-ref-nodes", false);
      dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
    } catch (ParserConfigurationException e) {
      log.warn(e);
    }
    return dbf;
  }

Considering the potential riskes it may have, I am willing to cooperate with your to verify, address, and report the identified vulnerability promptly through responsible means. If you require any further information or assistance, please do not hesitate to reach out to me.
Thank you and looking forward to hearing from you soon.

@rkodang
Copy link

rkodang commented Jan 30, 2024 via email

@Crispy-fried-chicken
Copy link
Author

我已经收到您的来信啦 Thanks~

烦请您验证一下,谢谢~
如果有必要,我也可以帮忙提交PR,谢谢~

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants