clojure.xml processes XXE by default

Description

Per https://ask.clojure.org/index.php/10338/clojure-xml-processes-xxe-by-default

clojure.xml by default processes XML external entities. This allows inclusion of external files in the processed XML, both from local file system and from remote servers. This seems like a bad idea when processing untrusted input.

Here's an example that includes /etc/hostname in the result (if you do not have that file on your computer, the result is a FileNotFoundException):

As far as I know, this feature is rarely used and e.g. data.xml disables it by default. Could it be disabled in clojure.xml as well to make it safer by default?

Environment

None

Activity

Show:
Erik Assum
March 21, 2021, 6:16 PM

In https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html it is recommended to set

reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

when doing so, the above example fails because it declares a doc-type.

I have opted to not set that feature, but rather chosen to set the other mentioned features to false.

Assignee

Unassigned

Reporter

Alex Miller

Labels

Approval

Triaged

Patch

Code and Test

Priority

Critical

Affects versions

Fix versions