JEP411: Missing use-case: Monitoring / restricting libraries
Alan Bateman
Alan.Bateman at oracle.com
Sat Apr 17 14:51:56 UTC 2021
On 16/04/2021 02:29, Reinier Zwitserloot wrote:
> :
>
> * An XML parser library may make network calls or open files on disk
> due to e.g. XXE shenanigans: See
> https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
> <https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing>
> – this isn't just plausible, we have plenty of proof that this has
> caused significant security breaches multiple times in XML's history.
> A SecurityManager that monitors (or outright denies) specifically the
> network and disk access from an XML parser library would have meant
> XXE attacks could never have happened.
>
The Security Developer's Guide has a good chapter on this topic [1] as
there many configuration knobs to restrict or disable "external access"
during XML processing. As things stand, running with a security manager
enables FEATURE_SECURE_PROCESSING globally but that is unfortunate
coupling and perhaps masks that the security features for XML processing
can be controlled programmatically, it doesn't require a security
manager to do that.
-Alan
[1]
https://docs.oracle.com/en/java/javase/16/security/java-api-xml-processing-jaxp-security-guide.html
More information about the security-dev
mailing list