Skip to Main Content
  • Questions

  • Is DBMS_XMLPARSER.parseClob vulnerable to XML-oriented attacks

Breadcrumb

Question and Answer

Connor McDonald

Thanks for the question, Eric.

Asked: July 30, 2019 - 9:38 pm UTC

Last updated: August 01, 2019 - 8:53 am UTC

Version: Oracle Database 12c Enterprise Edition Release 12.2.0.1.0 - 64bit

Viewed 1000+ times

You Asked

I'm being asked to review a security checklist for my PLSQL application that utilizes DBMS_XMLPARSER.parseClob to parse an XML request, get data from Oracle and return a response XML document.

The security requirement is this:
https://www.stigviewer.com/stig/application_security_and_development/2017-12-18/finding/V-70269

Does Oracle's built in DBMS_XMLPARSER package has security built into it to prevent XML-oriented attacks or do I need to examine the input data myself?

An example of an XML-oriented attack is an XML bomb as detailed at this link:
https://www.soapui.org/security-testing/security-scans/xml-bomb.html

I haven't tried calling DBMS_XMLPARSER.parseClob with an XML-oriented attack because I don't want to get fired. I was hoping that you could test it in your controlled environment.

and Connor said...

We will return an error to ensure you can't consume all the resources, eg

SQL> create table t ( c clob );

Table created.

SQL> declare
  2    v clob :=
  3  '<?xml version="1.0"?>
  4  <!DOCTYPE lolz [
  5   <!ENTITY lol "lol">
  6   <!ELEMENT lolz (#PCDATA)>
  7   <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  8   <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
  9   <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
 10   <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
 11   <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
 12   <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
 13   <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
 14   <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
 15   <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
 16  ]>
 17  <lolz>&lol9;</lolz>';
 18  begin
 19    insert into t values (v);
 20    commit;
 21  end;
 22  /

PL/SQL procedure successfully completed.

SQL>
SQL> DECLARE
  2   l_clob CLOB;
  3   l_parser dbms_xmlparser.Parser;
  4   l_doc dbms_xmldom.DOMDocument;
  5  BEGIN
  6      select c into l_clob from t;
  7      l_parser := dbms_xmlparser.newParser;
  8      dbms_xmlparser.parseClob(l_parser, l_clob);
  9      l_doc := dbms_xmlparser.getDocument(l_parser);
 10      dbms_xmlparser.freeParser(l_parser);
 11  END;
 12  /
DECLARE
*
ERROR at line 1:
ORA-31011: XML parsing failed
ORA-06512: at "XDB.DBMS_XMLPARSER", line 191
ORA-19213: error occurred in XML processing at lines 15, 1, 1, 1, 1, 1, 1, 1, 1
LPX-00286: Exceeded max depth for recursion
ORA-06512: at "XDB.DBMS_XMLPARSER", line 164
ORA-06512: at "XDB.DBMS_XMLPARSER", line 183
ORA-06512: at line 8



Is this answer out of date? If it is, please let us know via a Comment
more

Connor and Chris don't just spend all day on AskTOM. You can also catch regular content via Connor's blog and Chris's blog. Or if video is more your thing, check out Connor's channel and Chris's channel from their Youtube channels. And of course, keep up to date with AskTOM via the official twitter account.

More to Explore

PL/SQL demos

Check out more PL/SQL tutorials on our LiveSQL tool.

PL/SQL docs

PL/SQL reference manual from the Oracle documentation library