Welcome! Please see the About page for a little more info on how this works.

+2 votes
in Clojure by
closed by

clojure.xml by default processes XML external entities. This allows inclusion of external files in the processed XML, both from local file system and from remote servers. This seems like a bad idea when processing untrusted input.

Here's an example that includes /etc/hostname in the result (if you do not have that file on your computer, the result is a FileNotFoundException):

(require 'clojure.xml)

(def xml-str "<?xml version=\"1.0\" encoding=\"UTF-8\" ?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM \"file:///etc/hostname\" >]>

(with-open [input (java.io.ByteArrayInputStream. (.getBytes xml-str))]
  (clojure.xml/parse input))
;; => {:tag :foo, :attrs nil, :content ["nixos\n"]}

As far as I know, this feature is rarely used and e.g. data.xml disables it by default. Could it be disabled in clojure.xml as well to make it safer by default?

closed with the note: Released in 1.11.0-alpha4

1 Answer

+1 vote