Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
0049053Openbravo ERPA. Platformpublic2022-04-12 12:272022-04-26 14:28
fermin_ostivar 
AugustoMauch 
immediatecriticalalways
closedfixed 
5
pi 
PR21Q4.5PR21Q4.5 
Core
No
0049053: XML parsers XXE attacks vulnerabilty
We have detected a SaxParser vulnerable to XXE attach in the class TranslationManager

      final SAXParserFactory factory = SAXParserFactory.newInstance();
      final SAXParser parser = factory.newSAXParser();
      parser.parse(in, handler);


https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L641 [^]
https://gitlab.com/openbravo/product/openbravo/-/blob/master/src/org/openbravo/erpCommon/ad_forms/TranslationManager.java#L666 [^]
N/A
To create a new get method in the class XMLUtil.java as newSAXReader and to call it in the lines reported previously
No tags attached.
blocks design defect 0049039 closed AugustoMauch XML parsers XXE attacks vulnerabilty 
Issue History
2022-04-13 13:24AugustoMauchTypedesign defect => backport
2022-04-13 13:24AugustoMauchTarget Version => PR21Q4.5
2022-04-25 17:17hgbotNote Added: 0136727
2022-04-26 14:27hgbotResolutionopen => fixed
2022-04-26 14:27hgbotStatusscheduled => closed
2022-04-26 14:27hgbotFixed in Version => PR21Q4.5
2022-04-26 14:28hgbotNote Added: 0136761
2022-04-26 14:28hgbotNote Added: 0136762

Notes
(0136727)
hgbot   
2022-04-25 17:17   
Merge Request created: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/569 [^]
(0136761)
hgbot   
2022-04-26 14:28   
Directly closing issue as related merge request is already approved.

Repository: https://gitlab.com/openbravo/product/openbravo [^]
Changeset: 619d17b16f2d3783124d057292648ba2f08e43c6
Author: Augusto Mauch <augusto.mauch@openbravo.com>
Date: 26-04-2022 12:27:36
URL: https://gitlab.com/openbravo/product/openbravo/-/commit/619d17b16f2d3783124d057292648ba2f08e43c6 [^]

Fixes ISSUE-49053: Provides a safe way to create instances of SAXParser

A new method has been created in XMLUtil to create instances of SAXParser that are not vulnerable to XXE attacks

---
M src/org/openbravo/dal/xml/XMLUtil.java
M src/org/openbravo/erpCommon/ad_forms/TranslationManager.java
---
(0136762)
hgbot   
2022-04-26 14:28   
Merge request merged: https://gitlab.com/openbravo/product/openbravo/-/merge_requests/569 [^]