Disallow DOCTYPE element in SAML responses to prevent XXE vulnerabili…

…ties (#38)
justinbleach · Sep 18, 2019 · 25b0320 · 25b0320
1 parent 210558f
commit 25b0320
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 2 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -1,7 +1,7 @@
 language: java
 
 jdk:
-  - oraclejdk8
+  - openjdk8
 
 cache:
   directories:

diff --git a/src/main/java/com/coveo/saml/SamlClient.java b/src/main/java/com/coveo/saml/SamlClient.java
@@ -40,7 +40,6 @@
 import java.io.Reader;
 import java.io.StringReader;
 import java.io.StringWriter;
-import java.io.UnsupportedEncodingException;
 import java.nio.charset.StandardCharsets;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
@@ -60,6 +59,9 @@
 
 import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
 
+import static com.sun.org.apache.xerces.internal.impl.Constants.DISALLOW_DOCTYPE_DECL_FEATURE;
+import static com.sun.org.apache.xerces.internal.impl.Constants.XERCES_FEATURE_PREFIX;
+
 public class SamlClient {
   private static final Logger logger = LoggerFactory.getLogger(SamlClient.class);
   private static boolean initializedOpenSaml = false;
@@ -548,6 +550,13 @@ private static DOMParser createDOMParser() throws SamlException {
                   "Cannot disable comments parsing to mitigate https://www.kb.cert.org/vuls/id/475445",
                   ex);
             }
+
+            try {
+              setFeature(XERCES_FEATURE_PREFIX + DISALLOW_DOCTYPE_DECL_FEATURE, true);
+            } catch (Throwable ex) {
+              throw new SamlException(
+                  "Cannot disable external entities to prevent XXE injection", ex);
+            }
           }
         };
 

diff --git a/src/test/java/com/coveo/saml/SamlClientTest.java b/src/test/java/com/coveo/saml/SamlClientTest.java
@@ -217,4 +217,22 @@ public void decodeAndValidateSamlResponseRejectsNowBeforeNotBefore() throws Thro
     SamlResponse response = client.decodeAndValidateSamlResponse(AN_ENCODED_RESPONSE);
     assertEquals("[email protected]", response.getNameID());
   }
+
+  // Test for https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html
+  @Test
+  public void itIsNotVulnerableToXXEAttacks() throws Throwable {
+    String decoded = new String(Base64.decodeBase64(AN_ENCODED_RESPONSE), StandardCharsets.UTF_8);
+    String withDtd = "<!DOCTYPE note SYSTEM \"Note.dtd\">" + decoded;
+    SamlClient client =
+        SamlClient.fromMetadata(
+            "myidentifier", "http://some/url", getXml("adfs.xml"), SamlClient.SamlIdpBinding.POST);
+    client.setDateTimeNow(ASSERTION_DATE);
+    try {
+      client.decodeAndValidateSamlResponse(
+          Base64.encodeBase64String(withDtd.getBytes(StandardCharsets.UTF_8)));
+      assertTrue(false);
+    } catch (SamlException ex) {
+      assertTrue(ex.getCause().toString().contains("DOCTYPE is disallowed"));
+    }
+  }
 }