Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0049039Openbravo ERPA. Platformpublic2022-04-12 12:272022-04-26 14:27
Reporterfermin_ostivar 
Assigned ToAugustoMauch 
PriorityimmediateSeveritycriticalReproducibilityalways
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Versionpi 
Target VersionFixed in VersionPR22Q3 
Merge Request Status
Review Assigned To
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0049039: XML parsers XXE attacks vulnerabilty
DescriptionWe have detected a SaxParser vulnerable to XXE attach in the class TranslationManager

      final SAXParserFactory factory = SAXParserFactory.newInstance();
      final SAXParser parser = factory.newSAXParser();
      parser.parse(in, handler);


https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L641 [^]
https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L666 [^]
Steps To ReproduceN/A
Proposed SolutionTo create a new get method in the class XMLUtil.java as newSAXReader and to call it in the lines reported previously
Additional Information
TagsNo tags attached.
Relationships
related to defect 0040642 closed alostale centralize in XMLUtils creation of objects to deal with XML documents 
depends on backport 0049051PR22Q2 closed AugustoMauch XML parsers XXE attacks vulnerabilty 
depends on backport 0049052PR22Q1.2 closed AugustoMauch XML parsers XXE attacks vulnerabilty 
depends on backport 0049053PR21Q4.5 closed AugustoMauch XML parsers XXE attacks vulnerabilty 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2022-04-12 12:27fermin_ostivarNew Issue
2022-04-12 12:27fermin_ostivarAssigned To => Triage Platform Base
2022-04-12 12:27fermin_ostivarModules => Core
2022-04-12 12:27fermin_ostivarTriggers an Emergency Pack => No
2022-04-12 13:04alostaleRelationship addedrelated to 0040642
2022-04-13 13:23AugustoMauchAssigned ToTriage Platform Base => AugustoMauch
2022-04-13 13:24AugustoMauchStatusnew => scheduled
2022-04-25 11:21hgbotNote Added: 0136714
2022-04-26 14:27hgbotResolutionopen => fixed
2022-04-26 14:27hgbotStatusscheduled => closed
2022-04-26 14:27hgbotNote Added: 0136755
2022-04-26 14:27hgbotFixed in Version => PR22Q3
2022-04-26 14:27hgbotNote Added: 0136756

Notes
(0136714)
hgbot   
2022-04-25 11:21   
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/566 [^]
(0136755)
hgbot   
2022-04-26 14:27   
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/566 [^]
(0136756)
hgbot   
2022-04-26 14:27   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: bf9a81bcfcd0e81704c377e350fc33edb850349e
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 26-04-2022 12:27:24
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/bf9a81bcfcd0e81704c377e350fc33edb850349e [^]

Fixes ISSUE-49039: Provides a safe way to create instances of SAXParser

A new method has been created in XMLUtil to create instances of SAXParser that are not vulnerable to XXE attacks

---
M src/org/openbravo/dal/xml/XMLUtil.java
M src/org/openbravo/erpCommon/ad_forms/TranslationManager.java
---