[Java] Sandboxing Saxon to improve security

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Java] Sandboxing Saxon to improve security

Philipp Nanz
Hi folks,

I am currently experimenting with microservices and have one that uses Saxon to transform XML data being sent to it. Recently, I have discovered that this approach is vulnerable to information disclosure leaks when specifically crafted XMLs or XSLTs are sent to it. E.g. you can get the microservice to hand out system files of the host.

Part of the problem was that the Xerces was configured in such a way that it was vulnerable to XXE (XML External Entity) attacks. This can mitigated by changing the Xerces config or by overriding the EntityResolver to block local URIs. However, another obvious attack vector is simply passing local file paths to fn:doc(), fn:unparsed-text() and the likes. For these, I would like to kind-of sandbox all IO access, so that local file access is blocked except for some whitelisted directories and their contents.

I understand that this could be achieved using a Java SecurityManager. But unfortunately, this is not an option at the moment.

So far I have identified the following classes that I would need to override to implement such custom sandboxing behaviour: URIResolver, UnparsedTextURIResolver, CollectionURIResolver.

Does anyone know of a way to achieve something like this without having to override every of these classes, i.e. some kind of central place? And do you know of any other XSLT features that could be used to fetch sensitive information from a host that it is running on?

Thanks in advance and kind regards,
Philipp  

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
saxon-help mailing list archived at http://saxon.markmail.org/
[hidden email]
https://lists.sourceforge.net/lists/listinfo/saxon-help 
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Java] Sandboxing Saxon to improve security

Michael Kay
Sorry for the delay in responding. 99% of the moderation requests for the saxon-help list are for SPAM, so I don't attend to it very often. In future, please use the forums at saxonica.plan.io.

There's no central place in Saxon to bar all these routes to external resources at once: you have to implement each of the resolvers separately. Also, of course, you need to suppress extension functions (FeatureKeys.ALLOW_EXTERNAL_FUNCTIONS). That's probably the most important one because extension functions can be used to modify the system environment as well as interrogating it.

Michael Kay
Saxonica


> On 10 Jul 2017, at 16:17, Philipp Nanz <[hidden email]> wrote:
>
> Hi folks,
>
> I am currently experimenting with microservices and have one that uses Saxon to transform XML data being sent to it. Recently, I have discovered that this approach is vulnerable to information disclosure leaks when specifically crafted XMLs or XSLTs are sent to it. E.g. you can get the microservice to hand out system files of the host.
>
> Part of the problem was that the Xerces was configured in such a way that it was vulnerable to XXE (XML External Entity) attacks. This can mitigated by changing the Xerces config or by overriding the EntityResolver to block local URIs. However, another obvious attack vector is simply passing local file paths to fn:doc(), fn:unparsed-text() and the likes. For these, I would like to kind-of sandbox all IO access, so that local file access is blocked except for some whitelisted directories and their contents.
>
> I understand that this could be achieved using a Java SecurityManager. But unfortunately, this is not an option at the moment.
>
> So far I have identified the following classes that I would need to override to implement such custom sandboxing behaviour: URIResolver, UnparsedTextURIResolver, CollectionURIResolver.
>
> Does anyone know of a way to achieve something like this without having to override every of these classes, i.e. some kind of central place? And do you know of any other XSLT features that could be used to fetch sensitive information from a host that it is running on?
>
> Thanks in advance and kind regards,
> Philipp  
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
> saxon-help mailing list archived at http://saxon.markmail.org/
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/saxon-help


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
saxon-help mailing list archived at http://saxon.markmail.org/
[hidden email]
https://lists.sourceforge.net/lists/listinfo/saxon-help 
Loading...