spring 为恶意xml设置Apache CXF总线属性

drkbr07n 于 2023-11-16 发布在 Spring

关注(0)|答案(3)|浏览(136)

我正在尝试为恶意xml设置CXF总线属性，如下所示

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
    xmlns:http="http://cxf.apache.org/transports/http/configuration"
    xmlns:cxf="http://cxf.apache.org/core"
    xsi:schemaLocation="
      http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
      http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
      http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
      http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

    <cxf:bus>
        <cxf:properties>
            <entry key="org.apache.cxf.stax.maxAttributeSize" value="1"/>
            <entry key="org.apache.cxf.stax.maxChildElements" value="1"/>
            <entry key="org.apache.cxf.stax.maxElementDepth" value="1"/>
            <entry key="org.apache.cxf.stax.maxAttributeCount" value="1"/> 
            <entry key="org.apache.cxf.stax.maxTextLength" value="1"/>
            <entry key="org.apache.cxf.stax.maxElementCount" value="1"/>
      </cxf:properties>
    </cxf:bus>
</beans>

字符串
看起来CXF没有选择这些属性。上面的代码在spring上下文xml文件中。每当我做一个有多个元素和子元素的post请求时，CXF不会抛出任何错误。我使用的是CXF版本3.1.1

spring

来源：https://stackoverflow.com/questions/37756464/setting-apache-cxf-bus-properties-for-malicious-xml

3条答案

按热度按时间

xlpyo6sf1#

我已经在一个带有java 1.6和java 1.8的Tomcat服务器上用CXF 2.7.13和3.1.6测试了总线属性，在这两种情况下，XML请求都被阻塞了，就像文档中说的那样。
确保woodstook和stax库在类路径中。CXF将XML检查委托给这些库。如果服务器有它自己的XML解析器。它们必须在XML解析器服务器之前（如果可用）。检查server configuration guide
我将详细说明配置，以便您可以检查您的配置。

CXF课程（Ivy格式）

<dependency org="org.apache.cxf" name="cxf-rt-frontend-jaxrs" rev="3.1.6" conf="default"/>
 <dependency org="org.apache.cxf" name="cxf-rt-frontend-jaxws" rev="3.1.6" conf="default"/>
 <dependency org="org.apache.cxf" name="cxf-rt-ws-security" rev="3.1.6" conf="default"/>
 <dependency org="org.apache.cxf" name="cxf-rt-rs-extension-providers" rev="3.1.6" conf="default"/>

字符串

spring CXF配置

<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util"
    xmlns:jaxrs="http://cxf.apache.org/jaxrs" xmlns:jaxws="http://cxf.apache.org/jaxws"
    xmlns:http-conf="http://cxf.apache.org/transports/http/configuration"
    xmlns:context="http://www.springframework.org/schema/context"
    xmlns:cxf="http://cxf.apache.org/core"
    xsi:schemaLocation="
        http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
        http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
        http://cxf.apache.org/jaxrs http://cxf.apache.org/schemas/jaxrs.xsd
        http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd 
        http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd"
    default-lazy-init="false">

    <import resource="classpath:META-INF/cxf/cxf.xml" />

    <!-- JAX-WS server-->
    <bean id="sampleEndPointImpl" class="com.SampleEndPointImpl" />
    <jaxws:endpoint id="sampleServiceSOAP" 
        address="/sampleEndPoint"
        endpointName = "SampleEndPoint"
        implementor="#sampleEndPointImpl" >
    </jaxws:endpoint>

    <!-- JAX-RS server-->
    <bean id="bookService" class="com.BookService" />
    <jaxrs:server id="bookservice" address="/">
        <jaxrs:serviceBeans>
            <ref bean="bookService" />
        </jaxrs:serviceBeans>
    </jaxrs:server>

    <cxf:bus>
        <cxf:properties>
            <entry key="org.apache.cxf.stax.maxAttributeSize" value="1"/>
            <entry key="org.apache.cxf.stax.maxChildElements" value="1"/>
            <entry key="org.apache.cxf.stax.maxElementDepth" value="1"/>
            <entry key="org.apache.cxf.stax.maxAttributeCount" value="1"/> 
            <entry key="org.apache.cxf.stax.maxTextLength" value="1"/>
            <entry key="org.apache.cxf.stax.maxElementCount" value="1"/>
      </cxf:properties>

    </cxf:bus>

</beans>

型

REST服务器示例

BookService.java

@POST
 @Path("/test")
 @Consumes(MediaType.APPLICATION_XML)
 public Response test(Book book) {
    return Response.ok(book.getName() + "123").build();
 }

型
Book.java

@XmlRootElement(name = "Book")
 public class Book {
     private String name;

     public String getName() {return name;}
     public void setName(String name) {this.name = name;}
 }

型
请求已测试

POST /test
 Content-Type:application/xml
 <Book><name>aaaa</name></Book>

型

收到错误

JAXBException occurred : Maximum Element Depth limit (1) Exceeded. Maximum Element Depth limit (1) Exceeded.

型
如果删除<cxf:bus>部分，将应用CXF默认值，并处理XML示例

aaaa123

型

赞(0）回复(0）举报 2023-11-16

sd2nnvve2#

在cxf 3.2.4中，在总线级配置对我来说根本不起作用。在端点级配置之后，一切都像魔法一样工作：

<jaxws:endpoint address="/myEndpoint" id="myEndpoinId" implementor="#myEndpoint">
            <jaxws:properties>
                    <entry key="org.apache.cxf.stax.maxTextLength" value="536870912"/>
            </jaxws:properties> (...)

字符串

赞(0）回复(0）举报 2023-11-16

mgdq6dx13#

如果有人在使用CXF 4.0.2 JAXWS独立客户端javax.xml.stream.XMLStreamException: Maximum Element Depth limit (100) Exceeded时寻求修复异常，这里留下另一个解决方案。

System.setProperty(StaxUtils.MAX_ELEMENT_DEPTH, "1000");
JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean();

字符串
不幸的是，通过factory设置该属性并不能解决这个问题。所以如果有比全局作用域更好的方法，我很乐意编辑这个答案。

赞(0）回复(0）举报 2023-11-16

我来回答

spring 为恶意xml设置Apache CXF总线属性

3条答案

相关问题

热门标签

最新问答