[JAPI-463] HPCCFileSprayClient - Resolving XML external entity in user-controlled data - HPCC

XML

Word

Printable

Details

Type: Sub-task
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 8.8.x
Fix Version/s: 8.8.0
Component/s: WSClient
Labels:
None

Pull Request URL:
https://github.com/hpcc-systems/hpcc4j/pull/567

Description

https://github.com/rpastrana/HPCC4J/security/code-scanning/5

Parsing untrusted XML files with a weakly configured XML parser may lead to an XML External Entity (XXE) attack. This type of attack uses external entity references to access arbitrary files on a system, carry out denial of service, or server side request forgery. Even when the result of parsing is not returned to the user, out-of-band data retrieval techniques may allow attackers to steal sensitive data. Denial of services can also be carried out in this situation.

Attachments

Activity

People

Assignee:: Rodrigo Pastrana

Reporter:: Rodrigo Pastrana

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 09/Jun/22 4:12 PM

Updated:: 07/Jul/22 1:58 PM

Resolved:: 07/Jul/22 1:58 PM