Bug 63664 - Veracode security issue-Improper Restriction of XML External Entity Reference CWE ID 611 in OOXMLPrettyPrint
Summary: Veracode security issue-Improper Restriction of XML External Entity Reference...
Alias: None
Product: POI
Classification: Unclassified
Component: SXSSF (show other bugs)
Version: 4.0.x-dev
Hardware: PC All
: P2 major (vote)
Target Milestone: ---
Assignee: POI Developers List
Depends on:
Reported: 2019-08-14 09:58 UTC by Belliraj
Modified: 2021-10-09 07:56 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Belliraj 2019-08-14 09:58:44 UTC
The product processes an XML document that can contain XML entities with URLs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. By default, the XML entity resolver will attempt to resolve and retrieve external references. If attacker-controlled XML can be submitted to one of these functions, then the attacker could gain access to information about an internal network, local filesystem, or other sensitive data. This is known as an XML eXternal Entity (XXE) attack.

Configure the XML parser to disable external entity resolution.

Flaw Id: 7
Module:  poi-ooxml-4.1.0.jar
Location : OOXMLPrettyPrint.java 108

Flaw Id: 8
Module:  poi-ooxml-4.1.0.jar
Location : OOXMLPrettyPrint.java 135
Comment 1 Andreas Beeker 2019-08-14 19:33:21 UTC
Every now and then we get findings on dev classes, which aren't meant for production code, but do reside in the release.

These dev/sample classes usually don't get much attention after they've been thrown in the trunk. I would prefer to move those classes to the test area or link something like a github project, so it's neither POIs direct responsibility nor do those cases bubble up when the library get scanned ... more important, we'd get results for real production code problems ...
Comment 2 PJ Fanning 2019-08-22 22:00:17 UTC
I made a change (https://svn.apache.org/repos/asf/poi/trunk@1865720) - but I agree that we should move these util classes to new code base to keep them out of the jars we publish to maven central.