[RHPAM-4435] Disable processing of all external resources in XML body… #2800
Conversation
… of REST endpoints
| //Disable XXE | ||
| SAXParserFactory spf = SAXParserFactory.newInstance(); | ||
| spf.setNamespaceAware(true); | ||
| spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); |
There was a problem hiding this comment.
@tkobayas Would it have sense to allow configuring this value? With default value set to true?
Thinking whether there may be some valid cases for using doctype declarations.
There was a problem hiding this comment.
@sutaakar disallow-doctype-decl is considered as the safest way to prevent XXE (https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#general-guidance).
A payload generated by kie-server-client API is the standard payload and it doesn't use DOCTYPE (also DOCTYPE is not used in drools/jbpm documents). So I guess almost no one uses DOCTYPE in kie-server payload.
Even if there is a user who created a payload manually with DOCTYPE, I think we are right to say "we always disallow DOCTYPE in kie-server payload for security reasons". WDYT? @mariofusco @elguardian
There was a problem hiding this comment.
I honestly don't see any reason to send a payload with the DOCTYPE to the kie-server and, also considering the security risks it implies, I'd leave this as it is.
|
@mariofusco Please merge this PR, thanks! |
… of REST endpoints (kiegroup#2800)
… of REST endpoints (kiegroup#2800)
|
Kudos, SonarCloud Quality Gate passed!
|
… of REST endpoints
JIRA:
https://issues.redhat.com/browse/RHPAM-4435
for 7.67.x : #2810
for 7.67.x-blue : #2811
How to replicate CI configuration locally?
Build Chain tool does "simple" maven build(s), the builds are just Maven commands, but because the repositories relates and depends on each other and any change in API or class method could affect several of those repositories there is a need to use build-chain tool to handle cross repository builds and be sure that we always use latest version of the code for each repository.
build-chain tool is a build tool which can be used on command line locally or in Github Actions workflow(s), in case you need to change multiple repositories and send multiple dependent pull requests related with a change you can easily reproduce the same build by executing it on Github hosted environment or locally in your development environment. See local execution details to get more information about it.
How to retest this PR or trigger a specific build:
a pull request please add comment: Jenkins retest this
a full downstream build please add comment: Jenkins run fdb
a compile downstream build please add comment: Jenkins run cdb
a full production downstream build please add comment: Jenkins execute product fdb
an upstream build please add comment: Jenkins run upstream