Bug 582631 - Validate XML report files against schema and restrict external entity access.
Summary: Validate XML report files against schema and restrict external entity access.
Status: RESOLVED FIXED
Alias: None
Product: MAT
Classification: Tools
Component: Core (show other bugs)
Version: 1.14   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: 1.15.0   Edit
Assignee: Andrew Johnson CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2023-11-14 04:43 EST by Andrew Johnson CLA
Modified: 2023-12-11 11:16 EST (History)
4 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Johnson CLA 2023-11-14 04:43:23 EST 
An Memory Analyzer reports are defined via an XML file.
https://help.eclipse.org/latest/index.jsp?topic=%2Forg.eclipse.mat.ui.help%2Fdoc%2Forg_eclipse_mat_report_report.html

We aleady have a schema, so should validate the XML against the schema and give warnings messages to the user if the report definition is not quite correct.

Also, we should be aware of XML external entity processing vulnerabilities.

https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
https://cwe.mitre.org/data/definitions/611.html

In general the reports don't need access an external entity, so we should disable this when the reports are executed.
Comment 1 Andrew Johnson CLA 2023-11-14 05:10:42 EST 
This is similar to https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8

We use the SAX parser for reading report definitions and so a malicious external report definition could do something unexpected if run by a user. I've confirmed that using add <!DOCTYPE root_element SYSTEM file:///c:/mysecret.txt> to the beginning of a report

However running an untrusted report could already do a denial of service, so I wonder how big an issue this is? 

I've got a fix for the parsing, and I have added some extra code to validate the report XML against the schema.

https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/205415        
https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=979835dab651c35be5b51155303c33e728ce2d11

Existing code should have stopped this problem but didn’t.
saxXmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
https://docs.oracle.com/en/java/javase/17/docs/api/java.xml/javax/xml/parsers/SAXParser.html#setProperty(java.lang.String,java.lang.Object)
https://docs.oracle.com/en/java/javase/17/docs/api/java.xml/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
https://docs.oracle.com/en/java/javase/17/docs/api/java.xml/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD
"When FEATURE_SECURE_PROCESSING is enabled, it is recommended that implementations restrict external connections by default, though this may cause problems for applications that process XML/XSD/XSL with external references."

The workaround for MAT 1.14.0 from https://docs.oracle.com/en/java/javase/17/docs/api/java.xml/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD and https://docs.oracle.com/en/java/javase/17/docs/api/java.xml/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_SCHEMA is to run MAT with the following system properties set in MemoryAnalyzer.ini
-Djavax.xml.accessExternalSchema=
-Djavax.xml.accessExternalDTD=
Comment 2 Andrew Johnson CLA 2023-11-14 05:15:28 EST 
Possible plan:

1. Apply patch https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/205415. Done.
2. Other people test the patch – do we need more?
3. Copy build to 2023-12/M3 prepare sim-rel
4. Update our SimRel contribution (Krum) – by Monday / Tuesday? ready for M3 SimRel.
5. Open bug (mark security, private). Done - this bug.
6. Discuss whether we need a CVE.
7. Write CVE (if needed).
8. Publish CVE (if needed).
9. At some point publish the bug – with the workaround for don’t run untrusted XML reports – read them first?
10. Announce on MAT mailing list.
11. Update new and noteworthy - need to get into 2023-12/RC1.
12. MAT 1.15.0 when released on December 6 2023 should have the fix.
Comment 4 Krum Tsvetkov CLA 2023-11-14 13:32:16 EST 
> See https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169

I can't see it, even after I log in.
Comment 5 Marta Rybczynska CLA 2023-11-15 02:22:33 EST 
We need to add all people one by one to that ticket. Please come with a list and I will do that.
Comment 6 Andrew Johnson CLA 2023-11-21 04:01:21 EST 
From the plan:

1. Apply patch https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/205415. Done.
2. Other people test the patch – do we need more?
3. Copy build to 2023-12/M3 prepare sim-rel. Done
4. Update our SimRel contribution (Krum) – by Monday / Tuesday? ready for M3 SimRel. Done.
5. Open bug (mark security, private). Done - this bug.
6. Discuss whether we need a CVE. Done.
7. Write CVE (if needed). CVE number assigned. All information present for CVE. Done.
8. Publish CVE (if needed).
9. At some point publish the bug – with the workaround for don’t run untrusted XML reports – read them first  / use system properties.
10. Announce on MAT mailing list.
11. Update new and noteworthy - need to get into 2023-12/RC1. - will be web-only version.
12. MAT 1.15.0 when released on December 6 2023 should have the fix.
Comment 7 Marta Rybczynska CLA 2023-12-11 09:09:25 EST 
The CVE has been published, I'm making this issue public too.
Comment 8 Andrew Johnson CLA 2023-12-11 11:16:03 EST 
The fixes are in Eclipse Memory Analyzer 1.15.0