<div dir="ltr"><div><div>Hi all,<br><br></div>I'm running Keycloak 1.9.3.Final with the standard out-of-the-box Wildfly configuration in a test environment, and I noticed this warning:<br><br><span style="color:rgb(180,95,6)">WARN [org.keycloak.saml.common] XML External Entity switches are not supported. You may get XML injection vulnerabilities.</span><br><br></div>I was curious as to what might be vulnerable, so I sent some malicious XML payloads with XXE type attacks to the SAML endpoint, and got this message:<br><br><span style="color:rgb(153,0,0)">ERROR [org.keycloak.saml.common] Error in base64 decoding saml message: ParsingException [location=null]or<br>g.keycloak.saml.common.exceptions.ParsingException: PL00074: Parsing Error:DOCTYPE is disallowed when the feature "<a href="http://apache.org/xml">http://apache.org/xml</a><br>/features/disallow-doctype-decl" set to true.</span><br><div><div><br></div><div>I can see clearly where the DocumentUtil is setting the flag mentioned in this error message (as well as a couple of others). Based on this, is it safe to assume that XXE attacks are protected against by the KC SAML processing operations?<br><br></div><div>Also, are there other endpoints or operations that don't use the DocumentUtil that I should be concerned with? If so, what are the recommended actions to ensure the TransformerFactory settings are appropriate?<br></div><div><br clear="all"><div><div><div class="gmail_signature"><div dir="ltr"><span><div><div>Josh Cain | Software Applications Engineer<br></div><i>Identity and Access Management</i><br></div><b>Red Hat</b><br>+1 843-737-1735<br></span></div></div></div>
</div></div></div></div>