[SOLVED] Orbeon Forms: is there a way to disable the processing of external entities to avoid XXE attacks?

Orbeon Forms: is there a way to disable the processing of external entities to avoid XXE attacks?

After a PenTest, the Security Team found a possibility of XXE attack when submitting an Orbeon form through an HTTPS request, from our web application.

They were able to intercept the following XML:

<!DOCTYPE event-request [<!ENTITY nbsp "&#160;">]>
<xxf:event-request xmlns:xxf="http://orbeon.org/oxf/xml/xforms">
    <xxf:uuid>8a89ecf50184eb16f5671301691e0d9457568667</xxf:uuid>
    <xxf:sequence>16</xxf:sequence>
    <xxf:action>
        <xxf:event name="xxforms-blur" source-control-id="pd-section-per-sonalData-control≡xf-474≡pd-birthName-control"/>
        <xxf:event name="xforms-focus" source-control-id="pd-section-per-sonalData-control≡xf-474≡pd-birthName-control"/>
        <xxf:event name="xxforms-value" source-control-id="pd-section-per-sonalData-control≡xf-474≡pd-birthName-control">Tester&lt;</xxf:event>
        <xxf:event name="xxforms-blur" source-control-id="pd-section-per-sonalData-control≡xf-474≡pd-birthName-control"/>
    </xxf:action>
</xxf:event-request>

And inject a new external entity, <!ENTITY test "My-OwnEntity">, by manipulating the request. THis was the XML submitted to the server:

<!DOCTYPE event-request [<!ENTITY nbsp "&#160;"><!ENTITY test "My-OwnEntity">]>
<xxf:event-request xmlns:xxf="http://orbeon.org/oxf/xml/xforms">
    <xxf:uuid>8a89ecf50184eb16f5671301691e0d9457568667</xxf:uuid>
    <xxf:sequence>16</xxf:sequence>
    <xxf:action>
        <xxf:event name="xxforms-blur" source-control-id="pd-section-per-sonalData-control≡xf-474≡pd-birthName-control"/>
        <xxf:event name="xforms-focus" source-control-id="pd-section-per-sonalData-control≡xf-474≡pd-birthName-control"/>
        <xxf:event name="xxforms-value" source-control-id="pd-section-per-sonalData-control≡xf-474≡pd-birthName-control">My-OwnEntity</xxf:event>
        <xxf:event name="xxforms-blur" source-control-id="pd-section-per-sonalData-control≡xf-474≡pd-birthName-control"/>
    </xxf:action>
</xxf:event-request>

The request is then processed correctly and the value of the entity appears in the response returned by the server.

According to them, two approaches/solutions are suggested: 1. Create a whitelist of allowed entities; or 2. Prevent the processing of these external entities in all cases.

But I couldn't find in the Orbeon documentation a way to implement any of these solutions (the second one would be more appropriate to my concrete case). Does anyone know how to do it or has experienced a similar situation and handled it differently?

Thank you.

Solution

Processing entities while parsing XML can be a security problem, for instance allowing a billion laughs attack denial-of-service attack, but it is not necessarily one if done properly. Orbeon Forms sets up Xerces, used for XML parsing, with a SecurityManager (#686) since version 4.0, and in that context entity parsing is safe, as far as I know.