Uploaded image for project: 'Daffodil'
  1. Daffodil
  2. DFDL-1659

Turn off XML general entities - creates vulnerabilities

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: deferred
    • Component/s: API, Back End, Front End
    • Labels:
      None

      Description

      See: https://github.com/scala/scala-xml/issues/17

      For a discussion of turning off entities on XML.

      We also need to turn off any way the XML parser would "go to the web" to resolve anything. This may already be off for parsing of DFDL schemas as we have our own resolver, but we also feed things to xerces for validation, and that might have these same issues, and when processing data, our streaming in of XML for unparsing may not be defending against this either.

      Places we take in XML:

      DFDL Schema

      TDML file

      Config file

      XML Catalog

      Validation of DFDL Schema in Xerces

      Validation of XML of DFDL Infoset in Xerces (This is our own XML being output from parser, so less of an issue, but we might as well just be uniform about all of these)

      XML Input to the unparser

        Gliffy Diagrams

          Attachments

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              mbeckerle.dfdl Mike Beckerle
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:

                  Tasks