XMLUnit2 has an RCE vulnerability caused by XSLT #264
Description
pom.xml
<dependency>
<groupId>org.xmlunit</groupId>
<artifactId>xmlunit-core</artifactId>
<version>2.9.1</version>
</dependency>
poc
import org.xmlunit.transform.Transformation;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
import javax.xml.transform.stream.StreamResult;
import javax.xml.transform.stream.StreamSource;
public class xmlunit_test {
public static void main(String[] args) {
Transformation transformation = new Transformation();
Source xml = new StreamSource("1.xml");;
transformation.setSource(xml);
Source xsl = new StreamSource("1.xsl");;
transformation.setStylesheet(xsl);
Result result = new StreamResult("output.xml");;
transformation.transformTo(result);
}
}
There is no function for setting security parameters in org.xmlunit.transform.Transformation, and the default security parameters do not include defense against XSLT vulnerabilities.
And I would like to emphasize that XSLT vulnerabilities and XXE vulnerabilities are completely different types of vulnerabilities. XSLT vulnerabilities belong to CWE-94 type, while XXE vulnerabilities belong to CWE-611. For more details, please refer to [CVE-2017-7465](https://nvd.nist.gov/vuln/detail/CVE-2017-7465).