Hi,
I'd like to discuss a couple of security issues related to parsing XML
files coming from outside, both involve external entities evaluation:
1) XML Bombs (http://en.wikipedia.org/wiki/Billion_laughs)
The environment variable entityExpansionLimit can be set on the
GeoServer JVM to prevent this kind of attacks but it would be nice to
have it enabled by default.
Further security measures against DoS attacks can enabled turning on
FEATURE_SECURE_PROCESSING on the standard XML parsers.
This mode prevents parsing of abnormal files, so the parser will stop
processing xml bombs and other xml files 'too big' (but we can't
configure how much is 'too big').
2) Entities loaded from the local server
(http://jira.codehaus.org/browse/GEOS-5273)
To prevent GeoServer from reading sensitive files on the server, the
Java SecurityManager of the server should be configured.
But even with a restrictive SecurityManager, GeoServer must still be
able to read in its data directory where we have sensitive
information.
In GeoTools and GeoServer I've seen 4 different parsers, instantiated
in many different classes so there's no unique point where we can add
a security control.
I thought we could create a factory for every parser implementation,
containing methods like createParser(Map settings).
Factory settings could be used to enable customizations like an entity
expansion limit, a custom EntityResolver that read entities only from
a limited set of directories and so on.
We're in a feature freeze state now but I need to fix those issues in
at least 2 points: SLD and WFS POST parsing.
So at the moment I'd like to just add a GeoServer setting to disable
external entities loading: it be evaluated when creating parsers for
SLD and WFS POST requests.
Opinions?
Regards,
--
Davide Savazzi
@svzdvd
Senior Software Engineer
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
Hi Davide
A big +1 for pointing out this problem. I have similar issues in the security subsystem (protecting specific files). I also thought
about using the Java security manager but this configuration has to be done by the local admin. I would prefer hardening GeoServer by the developers. (Package sealing, examining the stack trace,… in my case). Of course, we cannot cover all vulnerabilities, so we have to enhance the documentation.
2013/1/22 Davide <davide.savazzi@anonymised.com403…>
Hi,
I’d like to discuss a couple of security issues related to parsing XML
files coming from outside, both involve external entities evaluation:
- XML Bombs (http://en.wikipedia.org/wiki/Billion_laughs)
The environment variable entityExpansionLimit can be set on the
GeoServer JVM to prevent this kind of attacks but it would be nice to
have it enabled by default.
Further security measures against DoS attacks can enabled turning on
FEATURE_SECURE_PROCESSING on the standard XML parsers.
This mode prevents parsing of abnormal files, so the parser will stop
processing xml bombs and other xml files ‘too big’ (but we can’t
configure how much is ‘too big’).
- Entities loaded from the local server
(http://jira.codehaus.org/browse/GEOS-5273)
To prevent GeoServer from reading sensitive files on the server, the
Java SecurityManager of the server should be configured.
But even with a restrictive SecurityManager, GeoServer must still be
able to read in its data directory where we have sensitive
information.
In GeoTools and GeoServer I’ve seen 4 different parsers, instantiated
in many different classes so there’s no unique point where we can add
a security control.
I thought we could create a factory for every parser implementation,
containing methods like createParser(Map settings).
Factory settings could be used to enable customizations like an entity
expansion limit, a custom EntityResolver that read entities only from
a limited set of directories and so on.
We’re in a feature freeze state now but I need to fix those issues in
at least 2 points: SLD and WFS POST parsing.
So at the moment I’d like to just add a GeoServer setting to disable
external entities loading: it be evaluated when creating parsers for
SLD and WFS POST requests.
Opinions?
Regards,
Davide Savazzi
@svzdvd
Senior Software Engineer
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only – learn more at:
http://p.sf.net/sfu/learnnow-d2d
Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
On Tue, Jan 22, 2013 at 3:26 PM, Davide <davide.savazzi@anonymised.com> wrote:
We're in a feature freeze state now but I need to fix those issues in
at least 2 points: SLD and WFS POST parsing.
So at the moment I'd like to just add a GeoServer setting to disable
external entities loading: it be evaluated when creating parsers for
SLD and WFS POST requests.
Hi,
I've submitted two pull request to disable external entities loading
in SLD and WFS POST requests parsing:
https://github.com/geotools/geotools/pull/141
https://github.com/geoserver/geoserver/pull/167
In GeoServer I've added a global configuration setting to enable this feature.
--
Davide Savazzi
@svzdvd
Senior Software Engineer
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
http://www.geo-solutions.it
http://twitter.com/geosolutions_it