Introduce hardened XML utilities in core (elastic#133644)

Co-authored-by: elasticsearchmachine <[email protected]>

Author: 2 people

build-tools-internal/src/main/resources/forbidden/jdk-signatures.txt

@@ -102,3 +102,29 @@ java.util.Collections#shuffle(java.util.List) @ Use java.util.Collections#shuffl
 
 @defaultMessage Avoid creating FilePermission objects directly, but use FilePermissionUtils instead
 java.io.FilePermission#<init>(java.lang.String,java.lang.String)
+
+@defaultMessage DocumentBuilderFactory should not be used directly. Use XmlUtils#getHardenedDocumentBuilder(java.lang.String[]) instead.
+javax.xml.parsers.DocumentBuilderFactory#newInstance()
+javax.xml.parsers.DocumentBuilderFactory#newInstance(java.lang.String, java.lang.ClassLoader)
+javax.xml.parsers.DocumentBuilderFactory#newDefaultNSInstance()
+javax.xml.parsers.DocumentBuilderFactory#newNSInstance()
+javax.xml.parsers.DocumentBuilderFactory#newNSInstance(java.lang.String, java.lang.ClassLoader)
+
+@defaultMessage TransformerFactory should not be used directly. Use XmlUtils#getHardenedXMLTransformer() instead.
+javax.xml.transform.TransformerFactory#newInstance()
+javax.xml.transform.TransformerFactory#newInstance(java.lang.String, java.lang.ClassLoader)
+
+@defaultMessage SAXParserFactory should not be used directly. Use XmlUtils#getHardenedSaxParser() instead
+javax.xml.parsers.SAXParserFactory#newInstance()
+javax.xml.parsers.SAXParserFactory#newInstance(java.lang.String, java.lang.ClassLoader)
+javax.xml.parsers.SAXParserFactory#newDefaultNSInstance()
+javax.xml.parsers.SAXParserFactory#newNSInstance()
+javax.xml.parsers.SAXParserFactory#newNSInstance(java.lang.String, java.lang.ClassLoader)
+
+@defaultMessage SchemaValidator should not be used directly. Use XmlUtils#getHardenedSchemaValidator() instead
+javax.xml.validation.SchemaFactory#newDefaultInstance()
+javax.xml.validation.SchemaFactory#newInstance(java.lang.String)
+javax.xml.validation.SchemaFactory#newInstance(java.lang.String, java.lang.String, java.lang.ClassLoader)
+
+@defaultMessage Validator should not be used directly. Use XmlUtils#getHardenedValidator() instead
+javax.xml.validation.Schema#newValidator()

libs/core/src/main/java/module-info.java

@@ -12,6 +12,7 @@
 module org.elasticsearch.base {
     requires static jsr305;
     requires org.elasticsearch.logging;
+    requires java.xml;
 
     exports org.elasticsearch.core;
     exports org.elasticsearch.jdk;

libs/core/src/main/java/org/elasticsearch/core/XmlUtils.java

@@ -0,0 +1,186 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+package org.elasticsearch.core;
+
+import org.elasticsearch.logging.LogManager;
+import org.elasticsearch.logging.Logger;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
+import org.xml.sax.SAXParseException;
+
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
+import javax.xml.validation.Validator;
+
+public class XmlUtils {
+
+    private static final Logger LOGGER = LogManager.getLogger(XmlUtils.class);
+
+    /**
+     * Constructs a DocumentBuilder with all the necessary features for it to be secure
+     *
+     * @throws ParserConfigurationException if one of the features can't be set on the DocumentBuilderFactory
+     */
+    public static DocumentBuilder getHardenedBuilder(String[] schemaFiles) throws ParserConfigurationException {
+        final DocumentBuilderFactory dbf = getHardenedBuilderFactory();
+        dbf.setNamespaceAware(true);
+        // Ensure that Schema Validation is enabled for the factory
+        dbf.setValidating(true);
+        // This is required, otherwise schema validation causes signature invalidation
+        dbf.setFeature("http://apache.org/xml/features/validation/schema/normalized-value", false);
+        // Make sure that URL schema namespaces are not resolved/downloaded from URLs we do not control
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "file,jar");
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "file,jar");
+        // We ship our own xsd files for schema validation since we do not trust anyone else.
+        dbf.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", schemaFiles);
+        DocumentBuilder documentBuilder = dbf.newDocumentBuilder();
+        documentBuilder.setErrorHandler(new ErrorHandler());
+        return documentBuilder;
+    }
+
+    /**
+     * Returns a DocumentBuilderFactory pre-configured to be secure
+     */
+    @SuppressForbidden(reason = "This is the only allowed way to construct a DocumentBuilder")
+    public static DocumentBuilderFactory getHardenedBuilderFactory() throws ParserConfigurationException {
+        final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        // Disallow internal and external entity expansion
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        dbf.setFeature("http://xml.org/sax/features/validation", true);
+        dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-dtd-grammar", false);
+        dbf.setIgnoringComments(true);
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        dbf.setFeature("http://apache.org/xml/features/honour-all-schemaLocations", true);
+        // Ensure we do not resolve XIncludes. Defaults to false, but set it explicitly to be future-proof
+        dbf.setXIncludeAware(false);
+        // Ensure we do not expand entity reference nodes
+        dbf.setExpandEntityReferences(false);
+        // Further limit danger from denial of service attacks
+        dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        dbf.setAttribute("http://apache.org/xml/features/validation/schema", true);
+        dbf.setAttribute("http://apache.org/xml/features/validation/schema-full-checking", true);
+        dbf.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaLanguage", XMLConstants.W3C_XML_SCHEMA_NS_URI);
+
+        return dbf;
+    }
+
+    /**
+     * Constructs a Transformer configured to be secure
+     */
+    @SuppressForbidden(reason = "This is the only allowed way to construct a Transformer")
+    public static Transformer getHardenedXMLTransformer() throws TransformerConfigurationException {
+        final TransformerFactory tfactory = TransformerFactory.newInstance();
+        tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        tfactory.setAttribute("indent-number", 2);
+        Transformer transformer = tfactory.newTransformer();
+        transformer.setErrorListener(new ErrorListener());
+        return transformer;
+    }
+
+    /**
+     * Returns a SchemaFactory configured to be secure
+     */
+    @SuppressForbidden(reason = "This is the only allowed way to construct a SchemaFactory")
+    public static SchemaFactory getHardenedSchemaFactory() throws SAXNotSupportedException, SAXNotRecognizedException {
+        SchemaFactory schemaFactory = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
+        schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        schemaFactory.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        return schemaFactory;
+    }
+
+    /**
+     * Constructs a Validator configured to be secure
+     */
+    @SuppressForbidden(reason = "This is the only allowed way to construct a Validator")
+    public static Validator getHardenedValidator(Schema schema) throws SAXNotSupportedException, SAXNotRecognizedException {
+        Validator validator = schema.newValidator();
+        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        validator.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        return validator;
+    }
+
+    @SuppressForbidden(reason = "This is the only allowed way to construct a SAXParser")
+    public static SAXParserFactory getHardenedSaxParserFactory() throws SAXNotSupportedException, SAXNotRecognizedException,
+        ParserConfigurationException {
+        var saxParserFactory = SAXParserFactory.newInstance();
+
+        saxParserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        saxParserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        saxParserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        saxParserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+
+        return saxParserFactory;
+    }
+
+    private static class ErrorHandler implements org.xml.sax.ErrorHandler {
+        /**
+         * Enabling schema validation with `setValidating(true)` in our
+         * DocumentBuilderFactory requires that we provide our own
+         * ErrorHandler implementation
+         *
+         * @throws SAXException If the document we attempt to parse is not valid according to the specified schema.
+         */
+        @Override
+        public void warning(SAXParseException e) throws SAXException {
+            LOGGER.debug("XML Parser error ", e);
+            throw e;
+        }
+
+        @Override
+        public void error(SAXParseException e) throws SAXException {
+            LOGGER.debug("XML Parser error ", e);
+            throw e;
+        }
+
+        @Override
+        public void fatalError(SAXParseException e) throws SAXException {
+            LOGGER.debug("XML Parser error ", e);
+            throw e;
+        }
+    }
+
+    private static class ErrorListener implements javax.xml.transform.ErrorListener {
+
+        @Override
+        public void warning(TransformerException e) throws TransformerException {
+            LOGGER.debug("XML transformation error", e);
+            throw e;
+        }
+
+        @Override
+        public void error(TransformerException e) throws TransformerException {
+            LOGGER.debug("XML transformation error", e);
+            throw e;
+        }
+
+        @Override
+        public void fatalError(TransformerException e) throws TransformerException {
+            LOGGER.debug("XML transformation error", e);
+            throw e;
+        }
+    }
+}

test/fixtures/s3-fixture/src/main/java/fixture/s3/S3HttpHandler.java

@@ -22,6 +22,7 @@
 import org.elasticsearch.core.Nullable;
 import org.elasticsearch.core.SuppressForbidden;
 import org.elasticsearch.core.Tuple;
+import org.elasticsearch.core.XmlUtils;
 import org.elasticsearch.logging.LogManager;
 import org.elasticsearch.logging.Logger;
 import org.elasticsearch.rest.RestStatus;
@@ -46,8 +47,6 @@
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
-import javax.xml.parsers.DocumentBuilderFactory;
-
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static org.elasticsearch.test.fixture.HttpHeaderParser.parseRangeHeader;
 import static org.junit.Assert.assertEquals;
@@ -471,7 +470,7 @@ private static Tuple<String, BytesReference> parseRequestBody(final HttpExchange
 
     static List<String> extractPartEtags(BytesReference completeMultipartUploadBody) {
         try {
-            final var document = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(completeMultipartUploadBody.streamInput());
+            final var document = XmlUtils.getHardenedBuilderFactory().newDocumentBuilder().parse(completeMultipartUploadBody.streamInput());
             final var parts = document.getElementsByTagName("Part");
             final var result = new ArrayList<String>(parts.getLength());
             for (int partIndex = 0; partIndex < parts.getLength(); partIndex++) {

x-pack/plugin/identity-provider/build.gradle

@@ -80,10 +80,6 @@ tasks.named("forbiddenPatterns").configure {
   exclude '**/*.zip'
 }
 
-tasks.named('forbiddenApisMain').configure {
-  signaturesFiles += files('forbidden/xml-signatures.txt')
-}
-
 // classes are missing, e.g. com.ibm.icu.lang.UCharacter
 tasks.named("thirdPartyAudit").configure {
     ignoreMissingClasses(

x-pack/plugin/identity-provider/forbidden/xml-signatures.txt

@@ -17,6 +17,7 @@
 import org.elasticsearch.common.settings.Settings;
 import org.elasticsearch.common.util.concurrent.ThreadContext;
 import org.elasticsearch.core.Nullable;
+import org.elasticsearch.core.XmlUtils;
 import org.elasticsearch.xcontent.ObjectPath;
 import org.elasticsearch.xcontent.XContentBuilder;
 import org.elasticsearch.xcontent.json.JsonXContent;
@@ -163,7 +164,7 @@ public void testCustomAttributesInIdpInitiatedSso() throws Exception {
         final String samlResponse = generateSamlResponseWithAttributes(SP_ENTITY_ID, SP_ACS, null, attributesMap);
 
         // Parse XML directly from samlResponse (it's not base64 encoded at this point)
-        DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        DocumentBuilderFactory factory = XmlUtils.getHardenedBuilderFactory();
         factory.setNamespaceAware(true); // Required for XPath
         DocumentBuilder builder = factory.newDocumentBuilder();
         Document document = builder.parse(new InputSource(new StringReader(samlResponse)));

x-pack/plugin/identity-provider/qa/idp-rest-tests/src/javaRestTest/java/org/elasticsearch/xpack/idp/IdentityProviderAuthenticationIT.java

@@ -250,7 +250,7 @@ private static void validateNameIdPolicy(AuthnRequest request, SamlServiceProvid
     }
 
     private boolean validateSignature(ParsedQueryString queryString, Collection<X509Credential> credentials) {
-        final String javaSigAlgorithm = SamlFactory.getJavaAlorithmNameFromUri(queryString.sigAlg);
+        final String javaSigAlgorithm = SamlFactory.getJavaAlgorithmNameFromUri(queryString.sigAlg);
         final byte[] contentBytes = queryString.reconstructQueryParameters().getBytes(StandardCharsets.UTF_8);
         final byte[] signatureBytes = Base64.getDecoder().decode(queryString.signature);
         return credentials.stream().anyMatch(credential -> {