Details
Description
When a deployed BPMN XML contains a reference to an external entity
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:camunda="http://activiti.org/bpmn" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd" id="_r7y_gEa-EeO5NO3lqhkDkg" targetNamespace="http://activiti.org/bpmn"> <!-- [...] --> <bpmn2:outgoing>&xxe;</bpmn2:outgoing> <!-- [..] -->
then engine tries to fetch the external entity.
AT:
- there exists a configuration option to disable this behavior