ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create rule S6377: XML signature should be verified securely (Python) (APPSEC-1588) (#3763)

Browse Source
This commit is contained in:
github-actions[bot] 2024-03-18 17:11:22 +01:00 committed by GitHub
parent 260d4830b0
commit 576a6152e0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
13 changed files with 153 additions and 60 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
docs/header_names/allowed_framework_names.adoc
View File

@ -98,6 +98,7 @@
* Python Standard Library
* PyYAML
* Requests
* SignXML
* SQLAlchemy
* ssl
// Docker

4
rules/S6377/common/description.adoc Normal file
View File

@ -0,0 +1,4 @@
XML can be used for a wide variety of purposes. Using a signature on an XML
message generally indicates this message requires authenticity and integrity.
However, if the signature validation is not properly implemented this
authenticity can not be guaranteed.

5
rules/S6377/common/impact.adoc Normal file
View File

@ -0,0 +1,5 @@
By not enforcing secure validation, the XML Digital Signature API is more susceptible to attacks such as signature spoofing and injections.
include::impacts/spoofing.adoc[]
include::impacts/injection.adoc[]

3
rules/S6377/common/impacts/injection.adoc Normal file
View File

@ -0,0 +1,3 @@
=== Risk of Injection Attacks
Disabling secure validation can expose the application to injection attacks. Attackers can inject malicious code or entities into the XML document, taking advantage of the weakened validation process. In some cases, it can also expose the application to denial-of-service attacks. Attackers can exploit vulnerabilities in the validation process to cause excessive resource consumption or system crashes, leading to service unavailability or disruption.

3
rules/S6377/common/impacts/spoofing.adoc Normal file
View File

@ -0,0 +1,3 @@
=== Increased Vulnerability to Signature Spoofing
By disabling secure validation, the application becomes more susceptible to signature spoofing attacks. Attackers can potentially manipulate the XML signature in a way that bypasses the validation process, allowing them to forge or tamper with the signature. This can lead to the acceptance of invalid or maliciously modified signatures, compromising the integrity and authenticity of the XML documents.

1
rules/S6377/common/rationale.adoc Normal file
View File

@ -0,0 +1 @@
XML signatures are a method used to ensure the integrity and authenticity of XML documents. However, if XML signatures are not validated securely, it can lead to potential vulnerabilities.

3
rules/S6377/common/resources/docs.adoc Normal file
View File

@ -0,0 +1,3 @@
=== Documentation
* Oracle Java Documentation - https://docs.oracle.com/en/java/javase/21/security/java-xml-digital-signature-api-overview-and-tutorial.html[XML Digital Signature API Overview and Tutorial]

5
rules/S6377/common/resources/standards.adoc Normal file
View File

@ -0,0 +1,5 @@
=== Standards
* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10:2021 A02:2021 - Cryptographic Failures]
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* CWE - https://cwe.mitre.org/data/definitions/347[CWE-347 - Improper Verification of Cryptographic Signature]

40
rules/S6377/java/how-to-fix/java-se.adoc Normal file
View File

@ -0,0 +1,40 @@
== How to fix it in Java SE
=== Code examples
For versions of Java before 17, secure validation is disabled by default unless the application runs with a security manager, which is rare. It should be enabled explicitly by setting the ``org.jcp.xml.dsig.secureValidation`` attribute to true with the ``javax.xml.crypto.dsig.dom.DOMValidateContext.setProperty`` method.
For Java 17 and higher, secure validation is enabled by default.
==== Noncompliant code example
[source,java,diff-id=1,diff-type=noncompliant]
----
NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0)); // Noncompliant
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
boolean signatureValidity = signature.validate(valContext);
----
==== Compliant solution
[source,java,diff-id=1,diff-type=compliant]
----
NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0));
valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
boolean signatureValidity = signature.validate(valContext);
----
=== How does this work?
When XML Signature secure validation mode is enabled, XML Signatures are processed more securely. It enforces a number of restrictionsto to protect from XML Documents that may contain hostile constructs that can cause denial-of-service or other types of security issues.
These restrictions can protect you from XML Signatures that may contain potentially hostile constructs that can cause denial-of-service or other types of security issues.

65
rules/S6377/java/rule.adoc
View File

@ -1,4 +1,4 @@
XML signatures are a method used to ensure the integrity and authenticity of XML documents. However, if XML signatures are not validated securely, it can lead to potential vulnerabilities.
include::../common/rationale.adoc[]
== Why is this an issue?
@ -6,70 +6,15 @@ Before Java 17, XML Digital Signature API does not apply restrictions on XML sig
== What is the potential impact
By not enforcing secure validation, the XML Digital Signature API is more susceptible to attacks such as signature spoofing and injections.
include::../common/impact.adoc[]
=== Increased Vulnerability to Signature Spoofing
By disabling secure validation, the Java application becomes more susceptible to signature spoofing attacks. Attackers can potentially manipulate the XML signature in a way that bypasses the validation process, allowing them to forge or tamper with the signature. This can lead to the acceptance of invalid or maliciously modified signatures, compromising the integrity and authenticity of the XML documents.
=== Risk of Injection Attacks
Disabling secure validation can expose the application to injection attacks. Attackers can inject malicious code or entities into the XML document, taking advantage of the weakened validation process. In some cases, it can also expose the application to denial-of-service attacks. Attackers can exploit vulnerabilities in the validation process to cause excessive resource consumption or system crashes, leading to service unavailability or disruption.
== How to fix it in Java SE
=== Code examples
For versions of Java before 17, secure validation is disabled by default unless the application runs with a security manager, which is rare. It should be enabled explicitly by setting the ``org.jcp.xml.dsig.secureValidation`` attribute to true with the ``javax.xml.crypto.dsig.dom.DOMValidateContext.setProperty`` method.
For Java 17 and higher, secure validation is enabled by default.
==== Noncompliant code example
[source,java,diff-id=1,diff-type=noncompliant]
----
NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0)); // Noncompliant
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
boolean signatureValidity = signature.validate(valContext);
----
==== Compliant solution
[source,java,diff-id=1,diff-type=compliant]
----
NodeList signatureElement = doc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
DOMValidateContext valContext = new DOMValidateContext(new KeyValueKeySelector(), signatureElement.item(0));
valContext.setProperty("org.jcp.xml.dsig.secureValidation", Boolean.TRUE);
XMLSignature signature = fac.unmarshalXMLSignature(valContext);
boolean signatureValidity = signature.validate(valContext);
----
=== How does this work?
When XML Signature secure validation mode is enabled, XML Signatures are processed more securely. It enforces a number of restrictionsto to protect from XML Documents that may contain hostile constructs that can cause denial-of-service or other types of security issues.
These restrictions can protect you from XML Signatures that may contain potentially hostile constructs that can cause denial-of-service or other types of security issues.
include::./how-to-fix/java-se.adoc[]
== Resources
=== Documentation
* Oracle Java Documentation - https://docs.oracle.com/en/java/javase/21/security/java-xml-digital-signature-api-overview-and-tutorial.html[XML Digital Signature API Overview and Tutorial]
=== Standards
* OWASP - https://owasp.org/Top10/A02_2021-Cryptographic_Failures/[Top 10:2021 A02:2021 - Cryptographic Failures]
* OWASP - https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure[Top 10 2017 Category A3 - Sensitive Data Exposure]
* CWE - https://cwe.mitre.org/data/definitions/347[CWE-347 - Improper Verification of Cryptographic Signature]
include::../common/resources/docs.adoc[]
include::../common/resources/standards.adoc[]
ifdef::env-github,rspecator-view[]

66
rules/S6377/python/how-to-fix/signxml.adoc Normal file
View File

@ -0,0 +1,66 @@
== How to fix it in SignXML
=== Code examples
The following noncompliant code example verifies an XML signature without
providing a trusted signing authority. This code will accept any signature
created from a generally trusted certificate, for example, a Let's encrypt one.
==== Noncompliant code example
[source,python,diff-id=1,diff-type=noncompliant]
----
from lxml import etree
from signxml import XMLVerifier
xml_file = open("signed.xml", "rb")
xml = etree.parse(xml_file)
XMLVerifier().verify(xml) # Noncompliant
----
==== Compliant solution
[source,python,diff-id=1,diff-type=compliant]
----
from lxml import etree
from signxml import XMLVerifier
xml_file = open("signed.xml", "rb")
xml = etree.parse(xml_file)
cert_file = open("cert.pem", "rb")
cert = cert_file.read()
XMLVerifier().verify(xml, x509_cert=cert)
----
=== How does this work?
Here, the compliant solution provides a trusted certificate to the signature validation function. This will ensure only signatures computed with the
private key associated with the provided certificate will be accepted.
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Change this code to only accept signatures computed from a trusted party.
=== Highlight
When no `expect_config` is provided:
* Highlight the call to the `verify` method.
When an `expect_config` is provided:
* Highlight the `verify` call.
* As a secondary location, highlight the `require_x509=False` in the
`SignatureConfiguration` instantiation.
'''
endif::env-github,rspecator-view[]

2
rules/S6377/python/metadata.json Normal file
View File

@ -0,0 +1,2 @@
{
}

15
rules/S6377/python/rule.adoc Normal file
View File

@ -0,0 +1,15 @@
include::../common/rationale.adoc[]
== Why is this an issue?
include::../common/description.adoc[]
=== What is the potential impact?
include::../common/impact.adoc[]
include::./how-to-fix/signxml.adoc[]
== Resources
include::../common/resources/standards.adoc[]