Page 1 of 1

Default REST URL can cause a data leak

PostPosted: Tue Aug 21, 2018 2:13 am
by guido
Hi all,

Thanks for creating this library, so far it seems very useful for generating documents!

I would like to address the following security issue, by default, version 6.0.1 is configured with a hard coded URL to a REST endpoint that allows you to convert your documents into PDF documents. If the "docx4j-export-fo" library is not available in your class path, then this REST endpoint is automatically used for generating PDF documents. This can really be an undesired effect if the developer is not aware that this is happening. I'm referring to the following code:

Docx4j.java:700:
Code: Select all
      if (pdfViaFO()) {
         FOSettings settings = createFOSettings();
         settings.setWmlPackage(wmlPackage);
         settings.setApacheFopMime("application/pdf");
         toFO(settings, outputStream, FLAG_NONE);
      } else {
         
         // Configure this property to point to your own Converter instance.
         String URL = Docx4jProperties.getProperty("com.plutext.converter.URL", "http://converter-eval.plutext.com:80/v1/00000000-0000-0000-0000-000000000000/convert");


If this endpoint would accidentally be used and the documents that are generated contain any personal information, then this would be an official data leak, according to the General Data Protection Regulation in the European union. May I recommend removing the default URL to enforce the user to specifically configure the use of this endpoint?

The workaround to prevent this behavior from happening is including the "docx4j-export-fo"-library and overriding the "com.plutext.converter.URL" property to connect to a fake url pointing to localhost, just to make sure this URL won't be called in case something accidentally gets mis configured. But any modifications in future versions could still result in accidentally using this end-point.

Looking forward to hear your opinion on this matter.

Kind regards,
Guido

Re: Default REST URL can cause a data leak

PostPosted: Tue Aug 21, 2018 7:46 am
by jason
Thanks for your note Guido.

In 6.1.0, the URL will default to 127.0.0.1; it will be up to you to do one of three things if you want PDF output:

1. install the PDF Converter there

2. set the property to point to some other URL, or

3. put the export-FO jar and its deps on your classpath

Re: Default REST URL can cause a data leak

PostPosted: Tue Aug 21, 2018 6:06 pm
by guido
Hi Jason,

Thank you, this sounds like a perfect solution!

Kind regards,
Guido