Potential fix for code scanning alert no. 146: Resolving XML external entity in user-controlled data#27
Conversation
… entity in user-controlled data ### Context This commit addresses a critical CodeQL finding (`java/xxe`) related to XML External Entity (XXE) processing in user-controlled XML data. The affected code path parses XML input without explicitly disabling DTDs and external entity resolution, which could allow XXE-based attacks such as: - Arbitrary file access - Server-side request forgery (SSRF) - Denial of service ### Change summary This change hardens the XML parsing configuration in `VersionDefinitionXml.load(InputStream)` by applying defensive parser settings recommended by OWASP and standard Java security guidance: **XMLInputFactory** - Explicitly disables DTD support - Explicitly disables external entity resolution **SchemaFactory** - Enables JAXP secure processing - Disables access to external DTDs and schemas (where supported) All settings are applied defensively using try/catch blocks to preserve compatibility with different JAXP implementations. ### Impact - No functional or behavioral changes for valid XML inputs - Malicious XML relying on external entities or DTDs will now fail to parse - Improves overall security posture without affecting business logic ### Notes - This change is limited in scope to XML parser hardening - No changes were made to higher-level logic or data flow - The fix is intentionally minimal and focused on security hardening Fixes: CodeQL alert apache#146 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
|
Caution Review failedThe pull request is closed. 📝 WalkthroughWalkthroughThe changes introduce XXE (XML External Entity) security mitigations in the XML parsing workflow of Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
✨ Finishing touches
📜 Recent review detailsConfiguration used: defaults Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
This PR hardens XML parsing against XXE as detected by CodeQL alert apache#146. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
ambari-server/src/main/java/org/apache/ambari/server/state/repository/VersionDefinitionXml.java
Show resolved
Hide resolved
1 participant
Potential fix for https://github.com/AndresMaqueo/ambari/security/code-scanning/146
In general, to fix XXE vulnerabilities in Java code that uses JAXP/StAX/JAXB, you must configure the XML parser to disallow DTDs and external entities before parsing any untrusted XML. For
XMLInputFactory/XMLStreamReader, this means turning off DTD support and entity resolution features. ForSchemaFactory, you should also enable the JAXP secure processing feature and, where possible, disable access to external DTDs and schemas.For this specific issue, the best fix with minimal functional change is to harden the
XMLInputFactoryinstance created inVersionDefinitionXml.load(InputStream stream)and to harden theSchemaFactoryused for XSD validation. We should set the standard and implementation-specific properties recommended by OWASP:On
XMLInputFactory:XMLInputFactory.SUPPORT_DTD→false"javax.xml.stream.isSupportingExternalEntities"→falseOn
SchemaFactory:XMLConstants.FEATURE_SECURE_PROCESSING→truesetProperty:"http://apache.org/xml/properties/accessExternalDTD"→"""http://apache.org/xml/properties/accessExternalSchema"→""These changes only affect how XML is parsed and validated; they do not change the higher-level behavior of reading version definition files, except that malicious XML relying on DTDs or external entities will now fail to parse. No changes are required in
URLRedirectProviderorVersionDefinitionResourceProvider; they continue to pass strings/streams as before, but the parser is now safe.Concretely, in
VersionDefinitionXml.load(InputStream stream), after creatingxmlFactory, configure its anti-XXE properties before creating theXMLStreamReader. Also, after creating theSchemaFactory, configure secure processing and disable external access before creating theSchema. We can keep all imports (no new ones are needed, since we already importXMLConstants,XMLInputFactory, andSchemaFactory).Suggested fixes powered by Copilot Autofix. Review carefully before merging.
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.