Bug 63664

Summary: Veracode security issue-Improper Restriction of XML External Entity Reference CWE ID 611 in OOXMLPrettyPrint
Product: POI Reporter: Belliraj <belliraj>
Component: SXSSFAssignee: POI Developers List <dev>
Severity: major    
Priority: P2    
Version: 4.0.x-dev   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Belliraj 2019-08-14 09:58:44 UTC
The product processes an XML document that can contain XML entities with URLs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. By default, the XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as an XML eXternal Entity (XXE) attack.

Configure the XML parser to disable external entity resolution.

Flaw Id: 7
Module:  poi-ooxml-4.1.0.jar
Location : OOXMLPrettyPrint.java 108

Flaw Id: 8
Module:  poi-ooxml-4.1.0.jar
Location : OOXMLPrettyPrint.java 135
Comment 1 Andreas Beeker 2019-08-14 19:33:21 UTC
Every now and then we get findings on dev classes, which aren't meant for production code, but do reside in the release.

These dev/sample classes usually don't get much attention after they've been thrown in the trunk. I would prefer to move those classes to the test area or link something like a github project, so it's neither POIs direct responsibility nor do those cases bubble up when the library get scanned ... more important, we'd get results for real production code problems ...
Comment 2 PJ Fanning 2019-08-22 22:00:17 UTC
I made a change (https://svn.apache.org/repos/asf/poi/trunk@1865720) - but I agree that we should move these util classes to new code base to keep them out of the jars we publish to maven central.