OX Documents
BSI IT-Grundschutz 2023 sections covered by this page
- CON.10
Specific security risks can be introduced by using applications that run native code within a container. Native applications are included in the OX Document Converter and in OX Image Converter Service. Different techniques can use program faults like buffer overflow for DoS attacks and arbitrary code execution.
Arbitrary Code Execution
Documents imported in OX Document Converter or images imported in OX Image Converter might lead to buffer overflows or similar issues, which sometimes might be used for arbitrary code execution. This is primarily related to problems in third-party components that run natively.
To avoid such issues in the future, thorough code reviews of all import filters have been conducted. Running OX Document Converter and OX Image Converter within a restricted container reduces risk related to native applications further.
Denial of Service (DoS) Attacks
When sending documents to OX Document Converter that would take endless to load or consumes a lot of CPU resources or simply crash the converter, that could be seen as DoS attacks. Different techniques in OX Document Converter avoid such attacks really being DoS attacks. A conversion process will be killed after a configurable amount of time, maximum memory consumption and thread count can be configured, and if some instances crash they will be restarted automatically.
Arbitrary File Inclusion
Documents can contain links to embed content from other documents, files or images. In most cases, it should be allowed to embed images from servers via HTTP, but most likely it should not be possible to embed content from the local file system. The OX Document Converter supports deny-lists and allow-lists. Everything is allowed except it is deny-listed.
Exceptions for the deny-list can be put into the allow-list. The default is to block all file://
URLs. If OX Document Converter has access to intranet servers, where it is possible to access private information via HTTP without authentication, those network ranges should be added to the deny-list.
For details, see documentation com.openexchange.documentconverter.blacklistFile
and com.openexchange.documentconverter.whitelistFile
. To make sure that OX Document Converter cannot access any servers that wouldn’t be reachable from outside the intranet, it is also possible to configure an HTTP proxy for OX Document Converter, which will be used for resolving URLs contained in documents. For details, see documentation com.openexchange.documentconverter.urlLinkProxy
.
Massive requests to other servers
With embedding content from external sources into a document, many requests to other servers can be performed while converting a document. To avoid attacks by uploading documents containing thousands of references to other servers, the request amount per document can be limited. The default is to limit the amount of requests per document to 200, which means that 100 images can be embedded (2 requests are needed for each). For details, see documentation com.openexchange.documentconverter.urlLinkLimit
.