Poiji XXE prevent attack

[ruipbferreira]

Hi all,
I'm using Poiji to process excel files and I have a question related to XXE attacks. How can I prevent it in Poiji?

Thank you all for your help
RF

[ozlerhakan]

Hi @ruipbferreira ,

Digging into XXE attacks a bit, I have found that the current Poiji is not affected by this as we use XMLBeans whose version is greater than 4.0.0 according :

13 January 2021 - CVE-2021-23926 - XML External Entity (XXE) Processing in Apache XMLBeans versions prior to 3.0.0
Description:
When parsing XML files using XMLBeans 2.6.0 or below, the underlying parser created by XMLBeans could be susceptible to XML
External Entity (XXE) attacks.
This issue was fixed a few years ago but on review, we decided we should have a CVE to raise awareness of the issue.
Mitigation:
Affected users are advised to update to Apache XMLBeans 3.0.0 or above which fixes this vulnerability. XMLBeans 4.0.0 or above is preferable.

[ruipbferreira]

@ozlerhakan I found it and I'm unable to test it "class file has wrong version 55.0, should be 52.0" I'm working with java 8

[ozlerhakan]

Ah, Poiji uses Java 11.

[ruipbferreira]

@ozlerhakan can you tell me the last version with java 8?

[ruipbferreira]

@ozlerhakan I've update poi-ooxml to 5.2.3 and have the error parsing excel "DOCTYPE is disallowed when the feature "http://apache.org/xml/features/disallow-doctype-decl\" set to true.". To do that I excluded poi-ooxml dependency from poiji 3.0.3. I will update my Poiji dependency to the last one supported in java 8. Thanks for your help and keep going with your good work

[ozlerhakan]

Great! I was going to mention this method 😎 thank you for using Poiji. You can mark this thread as complete.