Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9285

Prevention of External Entity Processing

    Details

    • Type: Bug Report
    • Status: Open
    • Priority: L3 - Default
    • Resolution: Unresolved
    • Affects Version/s: 7.10.0-alpha3, 7.10.0-alpha4
    • Fix Version/s: 7.10.0, 7.7.10, 7.8.12, 7.9.7
    • Component/s: engine
    • Labels:

      Description

      When a deployed BPMN XML contains a reference to an external entity

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE foo [ 
         <!ELEMENT foo ANY >
         <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
      <bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:camunda="http://activiti.org/bpmn" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd" id="_r7y_gEa-EeO5NO3lqhkDkg" targetNamespace="http://activiti.org/bpmn">
          <!-- [...] -->
          <bpmn2:outgoing>&xxe;</bpmn2:outgoing>
          <!-- [..] -->
      

      then engine tries to fetch the external entity.

      AT:

      • there exists a configuration option to disable this behavior

        Issue Links

          Activity

          There are no comments yet on this issue.

            People

            • Assignee:
              nikola.koevski Nikola Koevski
              Reporter:
              roman.smirnov Smirnov Roman
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Development