# SpringBlade XXE Vulnerability Summary ## Vulnerability Overview The `blade-report` module of SpringBlade (integrated with UReport2) contains an XML External Entity (XXE) injection vulnerability. Attackers can upload an XML file containing a malicious `DOCTYPE` declaration via the `POST /ureport/designer/saveReportFile` interface and trigger parsing through the `GET /ureport/designer/loadReport` interface, thereby reading local server files or initiating SSRF requests. **Affected Versions:** ≤ 4.8.0 **Affected Component:** `blade-report` module **Trigger Endpoints:** - Injection Point: `POST /ureport/designer/saveReportFile` - Trigger Point: `GET /ureport/designer/loadReport` --- ## Impact Scope 1. **Arbitrary File Read**: By injecting ``, any file within the server's permission scope (such as `win.ini`, configuration files, keys, etc.) can be read. 2. **Server-Side Request Forgery (SSRF)**: By injecting ``, the server can be forced to access internal or external hosts. 3. **Denial of Service (DoS)**: Through recursive entity definitions (Billion Laughs attack), server memory and CPU resources can be exhausted. --- ## Remediation ### Immediate Mitigation Measures - If the report design functionality is not required in the production environment, access to all `/ureport/designer/*` endpoints should be blocked at the gateway or Web filter layer. ### Code-Level Fixes 1. **Disable External Entity Parsing**: Configure the following security features when creating `SAXParserFactory`: ```java SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); factory.setXIncludeAware(false); ``` 2. **Validate XML Content Before Saving**: Before storing the report, verify that the XML does not contain `DOCTYPE`, ` ]> ``` **XML Stored in Database After Saving (Stored via `MySQLProvider.saveReport()`):** ```xml ]> &xxe; &xxe; &xxe; ``` ### Step 2: Trigger Parsing (loadReport Interface) Request Example: ```http GET http://localhost:8080/ureport/designer/loadReport?file=xxx HTTP/1.1 Host: localhost:8080 ... ``` ### Step 3: Verify Results The response body returns XML containing the content of the read file (e.g., the content of `win.ini` embedded within the `` cell). --- ## Root Cause Analysis The vulnerability exists in the `ReportParser` class of UReport2, which creates a `SAXParserFactory` without disabling external entity parsing and DOCTYPE declarations: ```java public class ReportParser { public ReportDefinition parse(InputStream inputStream) { try { // VULNERABILITY: SAXParserFactory created with default settings // External entities and DOCTYPE declarations are enabled by default SAXParserFactory factory = SAXParserFactory.newInstance(); // Missing security hardening: // factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // factory.setFeature("http://xml.org/sax/features/external-general-entities", false); // factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); SAXParser parser = factory.newSAXParser(); ReportParserHandler handler = new ReportParserHandler(); // XML is parsed here - external entities are resolved automatically // If the XML contains , // the parser will read the file and substitute its contents into the document parser.parse(inputStream, handler); return handler.getReportDefinition(); } catch (Exception e) { throw new ReportException(e); } } } ``` **Attack Chain:** 1. **Injection**: The attacker calls `saveReportFile`, passing an XML containing a malicious DOCTYPE, which is stored directly in the database without validation. 2. **Trigger**: The attacker calls `loadReport`, retrieves the XML from the database, and passes it to `ReportParser.parse()`. External entity parsing is triggered during parsing. 3. **Exfiltration**: The content of the resolved entities (e.g., file contents) is embedded into the report structure and returned to the attacker via the response.