New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable FEATURE_SECURE_PROCESSING XML setting by default #2384
Conversation
I don't have a strong feeling on the questions in the discussion section yet. What feedback does others have? |
I would suggest going ahead with this PR and document on reverting to old behavior |
I would like to default to the more secure/restricted approach, with a config where user can opt out of it. |
The decision was to add a new The flag can be used for all file parsing which can limit functionality in order to improve security. |
The change to enable FEATURE_SECURE_PROCESSING by default during XML parsing is to address a security vulnerability. In addition to translating an existing XML parsing test from JUnit to Spock, @nvoxland added two new integration tests for this feature. One test validates the default works as expected and another to test that the override works as expected. Breaking Change Alert New Global Parameter :
Test Environment |
Description
Sets FEATURE_SECURE_PROCESSING=true in the XML parser. Because XSD files are referenced like
http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-4.6.xsd
we do need to enable http/https external XSD references still.Because this feature blocks/changes parser functionality, it will be a breaking change for users expecting the old behavior. Like if the user had a custom XSD with a
file:
prefix they could no longer use liquibase. Or if they referenced an external DTD entity.Discussion
Historically I've not tried to set any limitations on what the XML parser can do under the theory that for liquibase usage, the changelog XML file is "trusted data". It's created and managed by internal users, and if they want to do something malicious there are far easier attacks when you have write access to the changelog file than XXE or whatever attacks. Therefore, I left the ability to pull external entities etc. in there because that can be a great way to write reusable XML code. And people who really do want it locked down more can set system properties like
javax.xml.accessExternalSchema
That being said, security is important. And supporting all XML functionality does open some additional attack vectors for people who DON'T have changelog access. For example, if the changelog developers had used an external entity for a shared macro and the attacker is able to replace that remote resource they would impact the changelog execution.
So far this PR has no configuration settings exposed to control it. It simply enables security and anyone wanting to modify it would need to subclass and extend XMLChangelogSAXParser to modify the settings they need. We could certainly add settings, but what would they be? Just enabling/disabling FEATURE_SECURE_PROCESSING? Or more granular control over flags (which can vary based on xml vendor and version)
Questions:
Dev Handoff Notes (Internal Use)
Links
Testing
Dev Verification
A changelog like this:
would previously fail with a "Connection refused" error as it tried to pull the ssrf entity from localhost but you have no server running.
With the fix, you get an
Failed to read external document 'localhost', because 'https' access is not allowed due to restriction set by the accessExternalDTD property
error unless you have--secure-parsing=false
or set liquibase.secureParsing=false┆Issue is synchronized with this Jira Bug by Unito