Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9285

Prevention of External Entity Processing

    XMLWordPrintable

    Details

      Description

      When a deployed BPMN XML contains a reference to an external entity

      <?xml version="1.0" encoding="UTF-8"?>
      <!DOCTYPE foo [ 
         <!ELEMENT foo ANY >
         <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
      <bpmn2:definitions xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:bpmn2="http://www.omg.org/spec/BPMN/20100524/MODEL" xmlns:bpmndi="http://www.omg.org/spec/BPMN/20100524/DI" xmlns:camunda="http://activiti.org/bpmn" xmlns:dc="http://www.omg.org/spec/DD/20100524/DC" xmlns:di="http://www.omg.org/spec/DD/20100524/DI" xsi:schemaLocation="http://www.omg.org/spec/BPMN/20100524/MODEL BPMN20.xsd" id="_r7y_gEa-EeO5NO3lqhkDkg" targetNamespace="http://activiti.org/bpmn">
          <!-- [...] -->
          <bpmn2:outgoing>&xxe;</bpmn2:outgoing>
          <!-- [..] -->
      

      then engine tries to fetch the external entity.

      AT:

      • there exists a configuration option to disable this behavior

        Attachments

          Activity

            People

            Assignee:
            yana.vasileva Yana Vasileva
            Reporter:
            roman.smirnov Smirnov Roman
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: