Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-7974

DmnParser and BpmnParser are vulnerable to XXE processing

    Details

    • Type: Bug Report
    • Status: Closed
    • Priority: L3 - Default
    • Resolution: Fixed
    • Affects Version/s: 7.6.0
    • Fix Version/s: 7.8.0, 7.8.0-alpha1
    • Component/s: bpmn model api, dmn-engine
    • Labels:
      None
    • Environment:
      Camunda engine version 7.6.0

      Description

      When XML External Entities are processed, an attacker can get access to the file system of the machine hosting the camunda engine. Additionally HTTP and FTP requests can be executed.
      This processing is executed while the XML is parsed.

      To disable this vulnerability, the org.camunda.bpm.model.xml.impl.parser.AbstractModelParser needs to set the expandEntityReferences property of the DocumentBuilderFactory to false.

      Expected:

      • Since this feature of XML is barely used, and most time only as an attack vector, the expected default value would be "disabled"

        Activity

        Hide
        meyer Daniel Meyer added a comment -

        First of all, thanks for reporting this!

        Are you interested in doing a pull request? Otherwise, we are curently also considering putting it on the roadmap.

        Show
        meyer Daniel Meyer added a comment - First of all, thanks for reporting this! Are you interested in doing a pull request? Otherwise, we are curently also considering putting it on the roadmap.
        Hide
        robow Robert Wittek added a comment - - edited

        I created a pull request for the fix, but didn't find any other tests related to the parser itself.

        Show
        robow Robert Wittek added a comment - - edited I created a pull request for the fix, but didn't find any other tests related to the parser itself.
        Hide
        roman.smirnov Smirnov Roman added a comment -
        Show
        roman.smirnov Smirnov Roman added a comment - See pull request https://github.com/camunda/camunda-xml-model/pull/2
        Hide
        roman.smirnov Smirnov Roman added a comment -
        Show
        roman.smirnov Smirnov Roman added a comment - Follow up pull requset https://github.com/camunda/camunda-xml-model/pull/3
        Hide
        meyer Daniel Meyer added a comment - - edited

        Hey Robert Wittek, thank you very much for the Pull Request!

        Show
        meyer Daniel Meyer added a comment - - edited Hey Robert Wittek , thank you very much for the Pull Request!

          People

          • Assignee:
            roman.smirnov Smirnov Roman
            Reporter:
            robow Robert Wittek
          • Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: