I currently have a simple xml endpoint (example) created using the jersey-server 1.1 framework. it consumes and produces XML using the following notation:
@POST
@Path("/post")
@Consumes(MediaType.APPLICATION_XML)
@Produces(MediaType.APPLICATION_XML)
public Response getEmployee(Employee employee) {
return Response.status(Status.OK).entity(employee).build();
}
however the endpoint is vulnerable to XXE attacks. (example) its also possible to get my server to talk to request any endpoint using this notation...
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [
<!ENTITY % a SYSTEM "file:///etc/passwd">
%a;
]>
I want a way to protect the server and not allow it to call out to other servers/serve up files to attackers.
Is there a way to do this, since everything including the XML reading is coming from the framework itself ? @Consumes(MediaType.APPLICATION_XML)
The only way I think I could do this is to use regex on the body of the request somehow with a filter? to block DOCTYPE, SYSTEM, ENTITY requests and return an error but I am wondering is there a simpler way to do this and override the default behavior of @Consumes(MediaType.APPLICATION_XML)?
I'm going to address just the XXE concern because the question isn't entirely clear on other specific authentication/authorization concerns to address.
Starting from Blaise's approach to prevent XXE with basic JAXB, what needs to be done is to get lower-level access to the supplied XML. Good thing Jersey supports this out of the box. One way to do this is to replace your Employee argument with a StreamSource.
First get a hold of the existing JAXBContext:
private final @Context Providers providers; //full list of all providers available
Modify your interface to accept a StreamSource so you have access to the raw incoming XML:
@POST
@Path("/post")
@Consumes(MediaType.APPLICATION_XML)
@Produces(MediaType.APPLICATION_XML)
public Response getEmployee(StreamSource employeeStreamSource)
Configure the JAXBContext unmarshaller to ignore DTDs:
public Response getEmployee(StreamSource employeeStreamSource){
//we try to get a hold of the JAXBContext
ContextResolver<JAXBContext> jaxbResolver = provider.getContextResolver(JAXBContext.class, MediaType.APPLICATION_XML_TYPE);
JAXBContext jaxbContext= null;
if(null != jaxbResolver) {
jaxbContext = jaxbResolver.getContext(Employee.class);
}
if(null == jaxbContext) {
jaxbContext = JAXBContext.newInstance(Employee.class);
}
XMLInputFactory xif = XMLInputFactory.newFactory();
xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); //Don't blindly parse entities
xif.setProperty(XMLInputFactory.SUPPORT_DTD, false); //suppress DTD
XMLStreamReader xsr = xif.createXMLStreamReader(employeeStreamSource); //beging parsing incoming XML
Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
Employee employee= (Employee) unmarshaller.unmarshal(xsr); //manually unmarshal
return Response.status(Status.OK).entity(employee).build();
}