![]() ![]() The maximum number of characters from entities is also limited (starting with. ![]() the restriction for a maximum number of characters from entities has been removed and the file can grow unhindered.īy default, processing of DTD entities is forbidden: the DtdProcessing property is set to Prohibit.If I configure my XmlReader this way, I am almost telling the intruder: "Come on, blow this up!". Using var reader = XmlReader.Create(File.OpenRead(pathToXmlBomb), rs) Talking about C#, vulnerable code is easiest to demonstrate with an XmlReader type example: var pathToXmlBomb = rs = new XmlReaderSettings() So, it turns out, if the XML parser is configured incorrectly (DTD processing is enabled and maximum entity size is not limited) - nothing good happens when this 'bomb' is processed. Now, I think you see where the "billion laughs" name comes from. The XML file we used at the beginning of the article was generated with the same principle. Here's the output you get when expanding it: lollollollollollollollollollollollollollollollollollollollollollollollol How about going a level deeper and defining the 'lol3' entity? Lollollollollollollollollollollollollollollollollollollollollollollollol Then when expanding the 'lol2' entity, you get the following output: lollollollollollollollollollollollollollollollollollollollollollollollol You can go further and define the 'lol2' entity by expanding it through 'lol1': For example: Īs a result, when expanding the 'lol1' entity, we get a string that looks like this: lollollollollollollollollollol The catch here is, entities can expand not only into strings (as in our case - "Entity value"), but also into sequences of other entities. Then you can get the entity value as follows: &myEntity DTD enables you to use so-called XML entities. The XML standard assumes the use of DTD (document type definition). If you'll want to know more, many resources on the internet will provide you with the information you need. I'll briefly describe the essence of the problem. CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion').CWE-611: Improper Restriction of XML External Entity Reference.There are two main problems here: data disclosure and denial of service. What does incorrect processing mean? Often it's excessive trust to input data (a perpetual problem that causes many vulnerabilities) combined with XML parsers that lack sufficient limitations.Īs a result, if the files are compromised, this may cause various unpleasant consequences. It has to do with incorrect XML file processing that makes applications vulnerable to attacks. The fact is, one of the OWASP Top 10 categories we are developing diagnostic rules for, is A4:2017-XML External Entities (XXE). So, I created (or, to be exact, attempted to create) a sample project to test the analyzer. By the way, if you missed it, not too long ago we added the taint analysis feature. If we talk about the C# analyzer, the main focus here is OWASP (that's the latest version available - we are looking forward to an update!) support. We continue to actively develop PVS-Studio as a SAST solution. To do this, we'll need to understand why processing XML files carelessly can be dangerous and what the PVS-Studio analyzer has to do with all this. Why create some weird XML and add it to projects?.Now go make yourself a cup of coffee, get back to your computer - and watch Visual Studio eat up more and more RAM. use the Blank Solution template to create a new project Īfter this, try to copy the following text to the XML file:.To reproduce this, the following is sufficient: I reproduced this problem on the latest (available at the time of writing) Visual Studio 2022 version - 17.0.0 Preview 3.1. By the way, if you missed it, here's a link to the announcement post.īut let's get to the matter in question.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |