XXE Security Vulnerability

[scarvell]

Hey guys,

I tried reporting this directly to the vendor privately but they won't fix the issue unless an enterprise edition is purchased. I'm posting a Github issue so hopefully someone can provide a patch for the community edition.

Pentaho's xml parser does not disable the parsing of external entities, which is turned on by default. This is a problem because an attacker can upload a malicious XML file and read arbitrary files off the server and send the contents to a remote server.

An example of the vulnerability exists when importing a new Manage Data Sources > Import Metadata.