为恶意设置 Apache CXF 总线属性 xml
Setting Apache CXF bus properties for malicious xml
我正在尝试为恶意 xml 设置 CXF 总线属性,如下所示
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<cxf:bus>
<cxf:properties>
<entry key="org.apache.cxf.stax.maxAttributeSize" value="1"/>
<entry key="org.apache.cxf.stax.maxChildElements" value="1"/>
<entry key="org.apache.cxf.stax.maxElementDepth" value="1"/>
<entry key="org.apache.cxf.stax.maxAttributeCount" value="1"/>
<entry key="org.apache.cxf.stax.maxTextLength" value="1"/>
<entry key="org.apache.cxf.stax.maxElementCount" value="1"/>
</cxf:properties>
</cxf:bus>
</beans>
CXF 似乎没有提取这些属性。上面的代码在 spring 上下文 xml 文件中。每当我执行一个包含多个元素和子元素的 post 请求时,CXF 不会抛出任何错误。我正在使用 CXF 版本 3.1.1
我已经在 Tomcat 服务器中使用 java 1.6 和 java 1.8 测试了 CXF 2.7.13 和 3.1.6 的总线属性,并且在这两种情况下 XML 请求被阻止,如文档所述。
确保 woodstook 和 stax 库在类路径中。 CXF 委托 XML 检查这些库。如果服务器拥有它自己的 XML 解析器。它们必须在 XML 解析器服务器(如果可用)之前。检查 server configuration guide
我将详细介绍配置,以便您检查自己的配置。
CXF 依赖项(Ivy 格式)
<dependency org="org.apache.cxf" name="cxf-rt-frontend-jaxrs" rev="3.1.6" conf="default"/>
<dependency org="org.apache.cxf" name="cxf-rt-frontend-jaxws" rev="3.1.6" conf="default"/>
<dependency org="org.apache.cxf" name="cxf-rt-ws-security" rev="3.1.6" conf="default"/>
<dependency org="org.apache.cxf" name="cxf-rt-rs-extension-providers" rev="3.1.6" conf="default"/>
spring CXF 配置
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util"
xmlns:jaxrs="http://cxf.apache.org/jaxrs" xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:http-conf="http://cxf.apache.org/transports/http/configuration"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd"
default-lazy-init="false">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<!-- JAX-WS server-->
<bean id="sampleEndPointImpl" class="com.SampleEndPointImpl" />
<jaxws:endpoint id="sampleServiceSOAP"
address="/sampleEndPoint"
endpointName = "SampleEndPoint"
implementor="#sampleEndPointImpl" >
</jaxws:endpoint>
<!-- JAX-RS server-->
<bean id="bookService" class="com.BookService" />
<jaxrs:server id="bookservice" address="/">
<jaxrs:serviceBeans>
<ref bean="bookService" />
</jaxrs:serviceBeans>
</jaxrs:server>
<cxf:bus>
<cxf:properties>
<entry key="org.apache.cxf.stax.maxAttributeSize" value="1"/>
<entry key="org.apache.cxf.stax.maxChildElements" value="1"/>
<entry key="org.apache.cxf.stax.maxElementDepth" value="1"/>
<entry key="org.apache.cxf.stax.maxAttributeCount" value="1"/>
<entry key="org.apache.cxf.stax.maxTextLength" value="1"/>
<entry key="org.apache.cxf.stax.maxElementCount" value="1"/>
</cxf:properties>
</cxf:bus>
</beans>
示例 REST 服务器
BookService.java
@POST
@Path("/test")
@Consumes(MediaType.APPLICATION_XML)
public Response test(Book book) {
return Response.ok(book.getName() + "123").build();
}
Book.java
@XmlRootElement(name = "Book")
public class Book {
private String name;
public String getName() {return name;}
public void setName(String name) {this.name = name;}
}
请求测试
POST /test
Content-Type:application/xml
<Book><name>aaaa</name></Book>
收到错误
JAXBException occurred : Maximum Element Depth limit (1) Exceeded. Maximum Element Depth limit (1) Exceeded.
如果删除 <cxf:bus> 部分,将应用 CXF default values,并处理 XML 示例
aaaa123
总线级别的配置对我来说对 cxf 3.2.4 没有任何作用。
在端点级别配置后,一切都很好用:
<jaxws:endpoint address="/myEndpoint" id="myEndpoinId" implementor="#myEndpoint">
<jaxws:properties>
<entry key="org.apache.cxf.stax.maxTextLength" value="536870912"/>
</jaxws:properties> (...)
我正在尝试为恶意 xml 设置 CXF 总线属性,如下所示
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<cxf:bus>
<cxf:properties>
<entry key="org.apache.cxf.stax.maxAttributeSize" value="1"/>
<entry key="org.apache.cxf.stax.maxChildElements" value="1"/>
<entry key="org.apache.cxf.stax.maxElementDepth" value="1"/>
<entry key="org.apache.cxf.stax.maxAttributeCount" value="1"/>
<entry key="org.apache.cxf.stax.maxTextLength" value="1"/>
<entry key="org.apache.cxf.stax.maxElementCount" value="1"/>
</cxf:properties>
</cxf:bus>
</beans>
CXF 似乎没有提取这些属性。上面的代码在 spring 上下文 xml 文件中。每当我执行一个包含多个元素和子元素的 post 请求时,CXF 不会抛出任何错误。我正在使用 CXF 版本 3.1.1
我已经在 Tomcat 服务器中使用 java 1.6 和 java 1.8 测试了 CXF 2.7.13 和 3.1.6 的总线属性,并且在这两种情况下 XML 请求被阻止,如文档所述。
确保 woodstook 和 stax 库在类路径中。 CXF 委托 XML 检查这些库。如果服务器拥有它自己的 XML 解析器。它们必须在 XML 解析器服务器(如果可用)之前。检查 server configuration guide
我将详细介绍配置,以便您检查自己的配置。
CXF 依赖项(Ivy 格式)
<dependency org="org.apache.cxf" name="cxf-rt-frontend-jaxrs" rev="3.1.6" conf="default"/>
<dependency org="org.apache.cxf" name="cxf-rt-frontend-jaxws" rev="3.1.6" conf="default"/>
<dependency org="org.apache.cxf" name="cxf-rt-ws-security" rev="3.1.6" conf="default"/>
<dependency org="org.apache.cxf" name="cxf-rt-rs-extension-providers" rev="3.1.6" conf="default"/>
spring CXF 配置
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util"
xmlns:jaxrs="http://cxf.apache.org/jaxrs" xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:http-conf="http://cxf.apache.org/transports/http/configuration"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd"
default-lazy-init="false">
<import resource="classpath:META-INF/cxf/cxf.xml" />
<!-- JAX-WS server-->
<bean id="sampleEndPointImpl" class="com.SampleEndPointImpl" />
<jaxws:endpoint id="sampleServiceSOAP"
address="/sampleEndPoint"
endpointName = "SampleEndPoint"
implementor="#sampleEndPointImpl" >
</jaxws:endpoint>
<!-- JAX-RS server-->
<bean id="bookService" class="com.BookService" />
<jaxrs:server id="bookservice" address="/">
<jaxrs:serviceBeans>
<ref bean="bookService" />
</jaxrs:serviceBeans>
</jaxrs:server>
<cxf:bus>
<cxf:properties>
<entry key="org.apache.cxf.stax.maxAttributeSize" value="1"/>
<entry key="org.apache.cxf.stax.maxChildElements" value="1"/>
<entry key="org.apache.cxf.stax.maxElementDepth" value="1"/>
<entry key="org.apache.cxf.stax.maxAttributeCount" value="1"/>
<entry key="org.apache.cxf.stax.maxTextLength" value="1"/>
<entry key="org.apache.cxf.stax.maxElementCount" value="1"/>
</cxf:properties>
</cxf:bus>
</beans>
示例 REST 服务器
BookService.java
@POST
@Path("/test")
@Consumes(MediaType.APPLICATION_XML)
public Response test(Book book) {
return Response.ok(book.getName() + "123").build();
}
Book.java
@XmlRootElement(name = "Book")
public class Book {
private String name;
public String getName() {return name;}
public void setName(String name) {this.name = name;}
}
请求测试
POST /test
Content-Type:application/xml
<Book><name>aaaa</name></Book>
收到错误
JAXBException occurred : Maximum Element Depth limit (1) Exceeded. Maximum Element Depth limit (1) Exceeded.
如果删除 <cxf:bus> 部分,将应用 CXF default values,并处理 XML 示例
aaaa123
总线级别的配置对我来说对 cxf 3.2.4 没有任何作用。 在端点级别配置后,一切都很好用:
<jaxws:endpoint address="/myEndpoint" id="myEndpoinId" implementor="#myEndpoint">
<jaxws:properties>
<entry key="org.apache.cxf.stax.maxTextLength" value="536870912"/>
</jaxws:properties> (...)