|Summary:||Veracode security issue-Improper Restriction of XML External Entity Reference CWE ID 611 in OOXMLPrettyPrint|
|Component:||SXSSF||Assignee:||POI Developers List <dev>|
Description Belliraj 2019-08-14 09:58:44 UTC
The product processes an XML document that can contain XML entities with URLs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. By default, the XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as an XML eXternal Entity (XXE) attack. Recommendations Configure the XML parser to disable external entity resolution. Flaw Id: 7 Module: poi-ooxml-4.1.0.jar Location : OOXMLPrettyPrint.java 108 Flaw Id: 8 Module: poi-ooxml-4.1.0.jar Location : OOXMLPrettyPrint.java 135
Comment 1 Andreas Beeker 2019-08-14 19:33:21 UTC
Every now and then we get findings on dev classes, which aren't meant for production code, but do reside in the release. These dev/sample classes usually don't get much attention after they've been thrown in the trunk. I would prefer to move those classes to the test area or link something like a github project, so it's neither POIs direct responsibility nor do those cases bubble up when the library get scanned ... more important, we'd get results for real production code problems ...
Comment 2 PJ Fanning 2019-08-22 22:00:17 UTC
I made a change (https://svn.apache.org/repos/asf/poi/trunk@1865720) - but I agree that we should move these util classes to new code base to keep them out of the jars we publish to maven central.