Uploaded image for project: 'Daffodil'
  1. Daffodil
  2. DFDL-1659

Turn off XML general entities - creates vulnerabilities

XMLWordPrintableJSON

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • deferred
    • None
    • API, Back End, Front End
    • None

      See: https://github.com/scala/scala-xml/issues/17

      For a discussion of turning off entities on XML.

      We also need to turn off any way the XML parser would "go to the web" to resolve anything. This may already be off for parsing of DFDL schemas as we have our own resolver, but we also feed things to xerces for validation, and that might have these same issues, and when processing data, our streaming in of XML for unparsing may not be defending against this either.

      Places we take in XML:

      DFDL Schema

      TDML file

      Config file

      XML Catalog

      Validation of DFDL Schema in Xerces

      Validation of XML of DFDL Infoset in Xerces (This is our own XML being output from parser, so less of an issue, but we might as well just be uniform about all of these)

      XML Input to the unparser

              Unassigned Unassigned
              mbeckerle.dfdl Mike Beckerle
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: