Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9285

Prevention of External Entity Processing

    XMLWordPrintable

Details

    Description

      When a deployed BPMN XML contains a reference to an external entity

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE foo [ 
         <!ELEMENT foo ANY >
         <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
      <bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:camunda="http://activiti.org/bpmn" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd" id="_r7y_gEa-EeO5NO3lqhkDkg" targetNamespace="http://activiti.org/bpmn">
          <!-- [...] -->
          <bpmn2:outgoing>&xxe;</bpmn2:outgoing>
          <!-- [..] -->
      

      then engine tries to fetch the external entity.

      AT:

      • there exists a configuration option to disable this behavior

      mgm-controller-panel

        This is the controller panel for Smart Panels app

        Attachments

          Activity

            People

              yana.vasileva Yana Vasileva
              roman.smirnov Roman Smirnov
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Salesforce