2

I was testing WildFly 8.1 across XXE vulnerability and I've found pretty annoying thing. JAXB by default uses secure parsing and respect entityExpansionLimit property (default to 64k). Since it works in Spring MVC in RestEasy it's being ignored (no problem to crash server with big expansion).

Does anyone know if it's possible to secure WildFly/RestEasy across XXE? I've found only support for XML External Entity protection (resteasy.document.expand.entity.references=false)

Jakub Kubrynski
  • 13,724
  • 6
  • 60
  • 85
  • `resteasy.document.expand.entity.references=false` seems to achieve what the title of your question requests. If not, what exactly are you missing? See also https://issues.jboss.org/browse/RESTEASY-869 – Harald Wellmann Jul 16 '14 at 16:11
  • 2
    @hwellmann this parameter applies when you for example try to reach /etc/passwd from xml entity (XML eXternal Entity). But when you unroll entities (XML Entity Expansion - http://projects.webappsec.org/w/page/13247002/XML%20Entity%20Expansion) then server is exploding. I've seen this issue and in my opinion it's fixing nothing more than a unit test. – Jakub Kubrynski Jul 16 '14 at 18:26

0 Answers0