[Geoserver-devel] [JIRA] (GEOS-10438) ENTITY_RESOLUTION_ALLOWLIST property not working

Wouter Kobes created an issue

GeoServer / BugGEOS-10438

ENTITY_RESOLUTION_ALLOWLIST property not working

Issue Type:

BugBug

Assignee:

Unassigned

Created:

31/Mar/22 1:07 PM

Priority:

MediumMedium

Reporter:

Wouter Kobes

There seem to be several problems within the ENTITY_RESOLUTION_ALLOWLIST setting, which can be used to reduce the http/https sources that are allowed by the application. I have encountered two functional bugs and one security issue. Of the latter I will send an email with details.

The first bug is encountered here: https://github.com/geoserver/geoserver/blob/c4e0c506024bbf455430fad33d25e938c85952c6/src/main/src/main/java/org/geoserver/util/EntityResolverProvider.java#L124

{noformat }} else if (!“”.equals(allowed.trim())) {{ noformat}

Should be

{noformat }} else if (“”.equals(allowed.trim())) {{ noformat}

Otherwise the content of the entity resolution allowlist is never parsed.

The second issue is in https://github.com/geoserver/geoserver/blob/c4e0c506024bbf455430fad33d25e938c85952c6/src/main/src/main/java/org/geoserver/util/AllowListEntityResolver.java#L112

The getExternalSubset function is used when the allowlist is set.
This function calls resolveEntity with:

return resolveEntity(name, null, baseURI, null);

systemId is set to null. However, resolveEntity tries to parse systemId to an URI:

if (URI.create(systemId).isAbsolute()) {

Thus a NullPointerException is thrown, and caught in line 164. This results to a SAXException thrown in line 169 with message “Entity resolution disallowed for null” for any resolution attempt.

The security vulnerability will be reported through email, but could lead to bypass of the setting (if the previous two bugs are addressed)

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100197-sha1:666e164)

Atlassian logo