`DOMDeserializer`: setExpandEntityReferences(false) may not prevent external entity expansion in all cases [CVE-2020-25649]

[baranowb]

As per description:
https://github.com/FasterXML/jackson-databind/blob/master/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java#L30
and
https://github.com/FasterXML/jackson-databind/blob/master/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java#L33

is not enough to stop expansion of entities. Depending on provider(xerces) being used it might work with current DOMDeserializer or not. If JDK default is used(at least one that I used at time of test), it wont allow to expand entities, however, if other provider from classpath is used it might, for instance, xerces-2.12.... does allow( iirc) expansion.

Reference: https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#jaxp-documentbuilderfactory-saxparserfactory-and-dom4j

I tinkered a bit with databind classes and I had something like:

factory.setValidating(true);
factory.setExpandEntityReferences(false);
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

[cowtowncoder]

First of all, thank you for reporting this security concern.

One quick note/question: you should not enable validation, since that would basically require expansion -- you can not do that, and it is not something Jackson itself sets.
I wonder if that is a requirement for problem to occur?

Aside from that, I'll see if adding missing settings from the list of 3 mentioned is safe wrt JDK baselines Jackson expects.

[cowtowncoder]

Ok so specifically while other 2 settings are already applied, this could be added:

factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);

It is not entirely risk-free change, actually, since it does not only block entity expansion that we want, but also outlaws use of DOCTYPE declaration which theoretically could cause issues for someone.
For that reason this will need to go in 2.11, not 2.10 patch.

One more setting that could be considered, from the linked-to page, would be:

factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);

which I'll probably add too.

[cowtowncoder]

This problem was assigned following vuln id: CVE-2020-25649