Bug 63899

Summary: xxe vulnerability
Product: POI Reporter: Santosh Pandey <callsanpan>
Component: XSSFAssignee: POI Developers List <dev>
Status: RESOLVED INVALID    
Severity: blocker    
Priority: P2    
Version: 4.1.0-FINAL   
Target Milestone: ---   
Hardware: PC   
OS: Mac OS X 10.1   
Attachments: pw: test123

Description Santosh Pandey 2019-11-01 18:21:26 UTC
Created attachment 36868 [details]
pw: test123

Apache POI's latest version 4.1.1 is still vulnerable to XXE vulnerability while uploading the XLSX file.
An XXE attack can be made by adding Doc Type declaration in the sharedStrings.xml file. Current implements block vulnerability if it is injected in all other XML files but doesn't when added in sharedStrings.xml file.
Please do the needful.
The vulnerable file is attached.
Comment 1 PJ Fanning 2019-11-01 20:09:27 UTC
That DTD is benign.

If you use XSSFWorkbook, XMLBeans is used to load the sharedstrings.xml.

XMLBeans can be configured to control some of the XML Parser behaviours (org.apache.poi.ooxml.POIXMLTypeLoader.DEFAULT_XML_OPTIONS).

The XML parser secure processing flags are enabled by default so malicious DTDs should be rejected.
Comment 2 Dominik Stadler 2019-11-02 05:52:28 UTC
Please follow the security reporting guidelines for Apache projects described at https://www.apache.org/security/, i.e. ideally the report is sent to a mailing list only at first to not make any potential security issue publicly available immediately.

Also please include code to show the problem that you see, as it seems we cannot reproduce the described behavior just off of the xlsx file. Especially what do you mean with "uploading" and which code is used to demonstrate the problem.
Comment 3 Santosh Pandey 2019-11-02 06:07:32 UTC
Ok Sorry, sending issue on email list, closing this here
Comment 4 Santosh Pandey 2019-11-02 06:09:36 UTC
You can delete this bug
Comment 5 PJ Fanning 2021-09-06 13:43:17 UTC
One option is to use this:

org.apache.poi.ooxml.POIXMLTypeLoader.DEFAULT_XML_OPTIONS.setLoadExternalDTD(false);
Comment 6 PJ Fanning 2021-09-07 19:41:44 UTC
If you want to prevent the DTD being read at all, try this:

final String FEATURE_LOAD_DTD_GRAMMAR = "http://apache.org/xml/features/nonvalidating/load-dtd-grammar";
final String FEATURE_LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
final String FEATURE_DISALLOW_DOCTYPE_DECL = "http://apache.org/xml/features/disallow-doctype-decl";

SAXParserFactory saxFactory = SAXParserFactory.newInstance();
saxFactory.setValidating(false);
saxFactory.setNamespaceAware(true);
saxFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
saxFactory.setFeature(FEATURE_LOAD_DTD_GRAMMAR, false);
saxFactory.setFeature(FEATURE_LOAD_EXTERNAL_DTD, false);
saxFactory.setFeature(FEATURE_DISALLOW_DOCTYPE_DECL, true);
XMLReader xmlReader = saxFactory.newSAXParser().getXMLReader();

org.apache.poi.ooxml.POIXMLTypeLoader.DEFAULT_XML_OPTIONS.setLoadUseXMLReader(xmlReader);