Reduce XML external entity vulnerability false positives

Problem

GraphQL support in API Security was recently improved. During testing against the image-target-graphql, it was noticed that several false positive XML External Entity vulnerabilities were generated. Two of the regex's used to identify when an XXE vulnerability has occurred look for the filename of a local file the check will try and include. This has the side affect of matching on non-generic error messages, resulting in false positives.

RegEx: /etc/passwd

Pipeline Job: https://gitlab.com/gitlab-org/security-products/tests/api-fuzzing-e2e/dast-generic/-/jobs/3042676030

Request:

"method": "POST",
"url": "http://target:7779/graphql",
"body": "{\"query\":\"query allThings {allThings(before: \\\"<?xml version=\\\"1.0\\\" encoding=\\\"utf-8\\\"?><!DOCTYPE foo [  <!ELEMENT foo ANY >  <!ENTITY xmlxxe SYSTEM \\\"file:///etc/passwd\\\">]><foo>&xmlxxe;</foo>\\\", after: \\\"hello\\\", first: 42, last: 42) {pageInfo {hasNextPage}}}\",\"variables\":null}"

Response:

"reason_phrase": "BAD REQUEST",
"status_code": 400,
"body": "{\"errors\":[{\"message\":\"Syntax Error GraphQL (1:52) Expected Name, found Float \\\"1.0\\\"\\n\\n1: query allThings {allThings(before: \\\"<?xml version=\\\"1.0\\\" encoding=\\\"utf-8\\\"?><!DOCTYPE foo [  <!ELEMENT foo ANY >  <!ENTITY xmlxxe SYSTEM \\\"file:///etc/passwd\\\">]><foo>&xmlxxe;</foo>\\\", after: \\\"hello\\\", first: 42, last: 42) {pageInfo {hasNextPage}}}\\n                                                      ^\\n\",\"locations\":[{\"line\":1,\"column\":52}]}]}"

Proposal

Remove two entries in the ResponseAnalaysisAssertion and LogAnalysisAssertion assertions that look for filenames.

First Entry to Remove

new ResponseAnalysisAssertionConfigEntry
{
	Category = "XML external entity (XXE) injection",
	Description = "reference to /etc/passwd file path",
	Regex = @"/etc/passwd"
},

Second Entry to Remove

new ResponseAnalysisAssertionConfigEntry
{
	Category = "XML external entity (XXE) injection",
	Description = "reference to Windows/System.ini file path",
	Regex = @"[CcDd]:[/\\][Ww]indows[/\\][Ss]ystem\.ini"
},

Tasks

  1. Remove the two entries
    1. ResponseAnalysisAssertion
    2. LogAnalysisAssertion
  2. Add a csharp test to validate change
  3. Update vulnerability counts and CVEs for the GraphQL Schema end-to-end test, verify false positives are no longer reported
  4. Verify all tests are passing
  5. Publish new container with fix
Edited by Michael Eddington