0

The XML files of incoming request needs to be validated. One requierement is that character references are prevented entirely because of possible DoS attacks. If I configure the SAXParserFactory like below:

SAXParserFactory spf = SAXParserFactory.newInstance();
spf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

then the parer still resolves 100.000 entity expansions.

The parser has encountered more than "100.000" entity expansions in this document; this is the limit imposed by the application.

The prevention of external references was done via an EntityResolver which works fine. But how do I prevent the character references?

My-Name-Is
  • 4,814
  • 10
  • 44
  • 84

2 Answers2

1

Character references cannot cause a denial of service attack, so there is no reason to prevent them.

Michael Kay
  • 156,231
  • 11
  • 92
  • 164
  • But what in case of a RESTful service, which handles the request according to FIFO. If a request takes much longer beaucse of the entity expansion, all other request are delayed. Isn't it a kind of Dos? – My-Name-Is Aug 28 '13 at 20:25
  • If a XML file contains about 10^7 entity characters, the processing takes several minutes until a `java.lang.OutOfMemoryError: Java heap space` occurs. – My-Name-Is Aug 28 '13 at 23:11
  • What are "entity characters"? I suspect you're using incorrect terminology regarding entity references and character references, and we are therefore talking at cross-purposes. Character references are of the form ` ` or ` ` and cause no network traffic or significant performance overheads. – Michael Kay Aug 29 '13 at 08:20
  • Thank you. And yes, I'm talking about character references. But if the service receives the following XML ` <!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;" > ... <!ENTITY j "&i;&i;&i;&i;&i;&i;&i;&i;&i;&i;" > ... &j; ...` The processing of this request takes several seconds and all further requests are queued. For me this is a classical DoS, or do we talk about different things? – My-Name-Is Aug 29 '13 at 09:11
  • 1
    `&a;` is not a character reference, it is an entity reference. – Michael Kay Aug 30 '13 at 09:58
  • Sorry, I'm here again. Can you please tell me how the different types of entity refernces are called: 1) `<!ENTITY a "1234567890" >` 2) `<!ENTITY ref SYSTEM "http://example.com/file.xml">` 3) `<!ENTITY ref SYSTEM "file:///etc/shadow/">` Or are the all together simply called `Entity References` ? – My-Name-Is Aug 30 '13 at 14:57
  • 1
    None of these are entity references. An example of an entity reference is `&ref;`. These are entity declarations. The first one is a declaration of an internal entity, numbers 2 and 3 are external entities: more precisely, external general parsed entities. – Michael Kay Aug 30 '13 at 16:46
0

An instance of org.apache.xerces.util.SecurityManager can limit the amount of entity expansions. Here's the an example.

SAXParser saxParser = spf.newSAXParser();
org.apache.xerces.util.SecurityManager mgr = new org.apache.xerces.util.SecurityManager();
mgr.setEntityExpansionLimit(-1);
saxParser.setProperty("http://apache.org/xml/properties/security-manager", mgr);

With this, the parsing process terminates if the XML file contains at least one entity reference. Now there's no more need for an EntityResolver.

The jar file which contains the SecurityManager can be downloaded here.

My-Name-Is
  • 4,814
  • 10
  • 44
  • 84