Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9285

Prevention of External Entity Processing

    Details

      Description

      When a deployed BPMN XML contains a reference to an external entity

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE foo [ 
         <!ELEMENT foo ANY >
         <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
      <bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:camunda="http://activiti.org/bpmn" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd" id="_r7y_gEa-EeO5NO3lqhkDkg" targetNamespace="http://activiti.org/bpmn">
          <!-- [...] -->
          <bpmn2:outgoing>&xxe;</bpmn2:outgoing>
          <!-- [..] -->
      

      then engine tries to fetch the external entity.

      AT:

      • there exists a configuration option to disable this behavior

        Activity

        Hide
        nikola.koevski Nikola Koevski added a comment -

        The DmnParser and CmmnParser both have XXE Processing disabled already (see here - both classes extend AbstractModelParser from the XML Model API). Because of this, an option to disable was only added for the BPMN parser in the engine.

        Show
        nikola.koevski Nikola Koevski added a comment - The DmnParser and CmmnParser both have XXE Processing disabled already (see here - both classes extend AbstractModelParser from the XML Model API). Because of this, an option to disable was only added for the BPMN parser in the engine.

          People

          • Assignee:
            yana.vasileva Yana Vasileva
            Reporter:
            roman.smirnov Smirnov Roman
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development