Disable Entity Expansion Required
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2023 04:57 AM
Hi all, I have this following requirements but most of the system properties are not available on my instance, if I create those properties, it will create any problem?
"Disable Entity Expansion
Recommendation:
Set value of the system property
'glide.stax.allow_entity_resolution' to 'false'
to defend against XML Entity Expansion/
Billion Laugh attack.
If customizations use a XMLDocument2
parser, use the following system properties
to enable external entity validation. Note:
Please activate prerequisite property:
- glide.xml.entity.whitelist is not empty
- glide.xml.entity.whitelist.enabled is set to
true
- glide.stax.whitelist_enabled is set to true"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-24-2023 09:45 PM
Hi,
Here is the info I put together when running a security hardening exercise…a combination of HI case, docs, and advice from developers. Hope it helps.
glide.stax.allow_entity_resolution is related to a number of other system properties handling XML entity resolution and expansion – mentioned in the Instance Security Center.
In the case of SOAP web services, XMLs are used to exchange data. To process this XML data ServiceNow scripting classes are used like XMLDocument or XMLUtils. These classes could be used anywhere else as well, not just SOAP web services. The XMLs may contain some corrupt FQDNs. By sending requests to these FQDNs it may increase the surface area of a potential attack vector.
Entity expansion is introduced to the platform predominantly through customer customizations, so If the custom code is using XMLDocument or XMLDocument2 parser as shown in the example below it will be using entity expansion and the platform may block further processing:
var xmldoc = new XMLDocument(payload); OR var xmldoc = new XMLDocument2(payload);
glide.xml.entity.whitelist.enabled and glide.stax.whitelist_enabled both work off the glide.xml.entity.whitelist – this will be checked when performing XML Entity processing.
glide.xml.entity.whitelist.enabled is related to XMLDocument and XMLUtil parsing.
glide.stax.whitelist_enabled is related to XMLDocument2 parsing.
[glide.stax.allow_entity_resolution] is used to block entity expansion.
[glide.xmlutil.max_entity_expansion] is used to set a threshold to limit the amount of expansion allowed by the platform before blocking further processing. Recommended to be set to 3000 (any expansion above this will be blocked).
Setting glide.stax.allow_entity_resolution to false and glide.xmlutil.max_entity_expansion to 3000 - all entity resolution and expansion are blocked. Feel free to check before enabling the other 2 whitelists (glide.xml.entity.whitelist.enabled and glide.xml.entity.whitelist.enabled) as this will offer some protection in the event the use case changes and glide.stax.allow_entity_resolution is activated.
If you're sure you don't have much custom code) you can set glide.stax.allow_entity_resolution to false to block all entity resolution and expansion.
The customer should review these with their internal security teams to see what they need to do as we can't know what customization or custom apps they have created.
We have provided the current reference for each of these as well as a small sample test case below.
1. Property Name: glide.xml.entity.whitelist.enabled: https://docs.servicenow.com/csh?topicname=allow-entity-validation-with-whitelisting.html
2. Property Name: glide.xmlutil.max_entity_expansion: https://docs.servicenow.com/csh?topicname=setting-entity-expansion-threshold.html
3. Property Name: glide.stax.allow_entity_resolution: https://docs.servicenow.com/csh?topicname=disable-entity-expansion.html
4. Property Name: glide.stax.whitelist_enabled: https://docs.servicenow.com/csh?topicname=allow-entity-validation-with-whitelisting-xmldoc2.html
5. Property Name: glide.xml.entity.whitelist : https://docs.servicenow.com/csh?topicname=allow-entity-validation-with-whitelisting.html
Here is a small sample test case:
Prerequisite: glide.stax.allow_entity_resolution=true // false blocks all entity resolution
Prerequisite: glide.stax.whitelist_enabled=true // allows xmldocument2 (streaming parser) calls to use the xml entity whitelist
Prerequisite: glide.xml.entity.whitelist.enabled=true // required to access the xml entity whitelist
Prerequisite: glide.xml.entity.whitelist // defines allowed entity path starts
Note 1: Entities not defined as PUBLIC or starting with http/https are automatically blocked
Note 2: Entity whitelist uses a "starts with" for determining access, so http://somehost/somefile will allow any entity that starts with that path.
Here is an example where the file2 entity will either be displayed (resolved) or not based on if the entity "http://somehost/somefile" is whitelisted.
var xmlString = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>" +
"<!DOCTYPE foo [" +
"<!ENTITY file2 PUBLIC \"http://somehost/somefile\" \"http://somehost/somefile\">" +
"]>" +
"<doc> " +
"	<text>This is some normal text containing predefined entities like & and ></text> " +
"	<text>And some more text containing character entities like </text> " +
"	<b>And a custom internal entity like this one: &file2;</b> " +
"</doc>";
var xmlDoc = new XMLDocument2();
xmlDoc.parseXML(xmlString);
gs.info(xmlDoc); // displays the contents of the document entity
