XML entity processing hardening

[Florian Weimer <fweimer () redhat com>]

I'm in contact with an upstream for an XML processing library who do not 
want to disable entity processing for the embedded DTD subset.

What are recommended practices if you have to do full entity processing, 
but still want to avoid DoS (CPU and memory issues)?

Here's what I came up with:

CPU and memory are separate concerns because depending on the 
implementation, empty entity references may not result in memory 
consumption, but they may still need impossible large amounts of CPU 
time to process.  However, I think it is possible to address the CPU 
aspect purely with memory accounting if we pretend that every entity 
reference expands to at least one character, even if it is empty.

Apart from that, I think it is sufficient to approximate the character 
count in fully-expanded serialized XML content.  This "memory cost" 
would have to memoized for each entity, and counted during entity 
expansion itself and eventual document generation.  During parsing, the 
cost encountered is compared against a pre-computed limit.

The upper cost limit I suggest is 10 times the document size (perhaps 
including the content of external entities, if enabled and parsed, not 
entirely sure about that), plus a fixed baseline of (say) 1 MiB.  These 
numbers are obviously totally arbitrary, but hopefully, they grant 
sufficient flexibility.

--
Florian Weimer / Red Hat Product Security Team