Repository: oozie Updated Branches: refs/heads/master b50d642a8 -> 50fef427d
OOZIE-2489 XML parsing is vulnerable (fdenes via rkanter) Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/50fef427 Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/50fef427 Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/50fef427 Branch: refs/heads/master Commit: 50fef427dcc89758a3609c1a8c308b1534790ff6 Parents: b50d642 Author: Robert Kanter <[email protected]> Authored: Tue Apr 12 14:26:22 2016 -0700 Committer: Robert Kanter <[email protected]> Committed: Tue Apr 12 14:26:22 2016 -0700 ---------------------------------------------------------------------- client/src/main/java/org/apache/oozie/cli/OozieCLI.java | 2 ++ client/src/main/java/org/apache/oozie/client/OozieClient.java | 1 + core/src/main/java/org/apache/oozie/util/GraphGenerator.java | 3 +++ core/src/main/java/org/apache/oozie/util/XConfiguration.java | 4 ++++ core/src/main/java/org/apache/oozie/util/XmlUtils.java | 1 + release-log.txt | 1 + .../org/apache/oozie/action/hadoop/PrepareActionsDriver.java | 2 ++ 7 files changed, 14 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/50fef427/client/src/main/java/org/apache/oozie/cli/OozieCLI.java ---------------------------------------------------------------------- diff --git a/client/src/main/java/org/apache/oozie/cli/OozieCLI.java b/client/src/main/java/org/apache/oozie/cli/OozieCLI.java index d74457e..2a046a9 100644 --- a/client/src/main/java/org/apache/oozie/cli/OozieCLI.java +++ b/client/src/main/java/org/apache/oozie/cli/OozieCLI.java @@ -752,6 +752,8 @@ public class OozieCLI { docBuilderFactory.setXIncludeAware(true); // ignore all comments inside the xml file docBuilderFactory.setIgnoringComments(true); + docBuilderFactory.setExpandEntityReferences(false); + docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); DocumentBuilder builder = docBuilderFactory.newDocumentBuilder(); Document doc = builder.parse(is); return parseDocument(doc, conf); http://git-wip-us.apache.org/repos/asf/oozie/blob/50fef427/client/src/main/java/org/apache/oozie/client/OozieClient.java ---------------------------------------------------------------------- diff --git a/client/src/main/java/org/apache/oozie/client/OozieClient.java b/client/src/main/java/org/apache/oozie/client/OozieClient.java index 67a62c6..2ffbd6a 100644 --- a/client/src/main/java/org/apache/oozie/client/OozieClient.java +++ b/client/src/main/java/org/apache/oozie/client/OozieClient.java @@ -650,6 +650,7 @@ public class OozieClient { DOMSource source = new DOMSource(doc); StreamResult result = new StreamResult(out); TransformerFactory transFactory = TransformerFactory.newInstance(); + transFactory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing";, true); Transformer transformer = transFactory.newTransformer(); transformer.transform(source, result); if (getDebugMode() > 0) { http://git-wip-us.apache.org/repos/asf/oozie/blob/50fef427/core/src/main/java/org/apache/oozie/util/GraphGenerator.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/util/GraphGenerator.java b/core/src/main/java/org/apache/oozie/util/GraphGenerator.java index 357c5c7..6ded2c6 100644 --- a/core/src/main/java/org/apache/oozie/util/GraphGenerator.java +++ b/core/src/main/java/org/apache/oozie/util/GraphGenerator.java @@ -101,6 +101,9 @@ public class GraphGenerator { */ public void write(OutputStream out) throws Exception { SAXParserFactory spf = SAXParserFactory.newInstance(); + spf.setFeature("http://xml.org/sax/features/external-general-entities";, false); + spf.setFeature("http://xml.org/sax/features/external-parameter-entities";, false); + spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); spf.setNamespaceAware(true); SAXParser saxParser = spf.newSAXParser(); XMLReader xmlReader = saxParser.getXMLReader(); http://git-wip-us.apache.org/repos/asf/oozie/blob/50fef427/core/src/main/java/org/apache/oozie/util/XConfiguration.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/util/XConfiguration.java b/core/src/main/java/org/apache/oozie/util/XConfiguration.java index f80d07a..bd62cb1 100644 --- a/core/src/main/java/org/apache/oozie/util/XConfiguration.java +++ b/core/src/main/java/org/apache/oozie/util/XConfiguration.java @@ -259,6 +259,8 @@ public class XConfiguration extends Configuration { docBuilderFactory.setXIncludeAware(true); // ignore all comments inside the xml file docBuilderFactory.setIgnoringComments(true); + docBuilderFactory.setExpandEntityReferences(false); + docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); DocumentBuilder builder = docBuilderFactory.newDocumentBuilder(); Document doc = builder.parse(is); parseDocument(doc); @@ -281,6 +283,8 @@ public class XConfiguration extends Configuration { docBuilderFactory.setXIncludeAware(true); // ignore all comments inside the xml file docBuilderFactory.setIgnoringComments(true); + docBuilderFactory.setExpandEntityReferences(false); + docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); DocumentBuilder builder = docBuilderFactory.newDocumentBuilder(); Document doc = builder.parse(new InputSource(reader)); parseDocument(doc); http://git-wip-us.apache.org/repos/asf/oozie/blob/50fef427/core/src/main/java/org/apache/oozie/util/XmlUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/util/XmlUtils.java b/core/src/main/java/org/apache/oozie/util/XmlUtils.java index 91438b3..f850236 100644 --- a/core/src/main/java/org/apache/oozie/util/XmlUtils.java +++ b/core/src/main/java/org/apache/oozie/util/XmlUtils.java @@ -350,6 +350,7 @@ public class XmlUtils { StringWriter stringWriter = new StringWriter(); Result result = new StreamResult(stringWriter); TransformerFactory factory = TransformerFactory.newInstance(); + factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing";, true); Transformer transformer = factory.newTransformer(); transformer.transform(source, result); http://git-wip-us.apache.org/repos/asf/oozie/blob/50fef427/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 7a2f58e..a30a245 100644 --- a/release-log.txt +++ b/release-log.txt @@ -1,5 +1,6 @@ -- Oozie 4.3.0 release (trunk - unreleased) +OOZIE-2489 XML parsing is vulnerable (fdenes via rkanter) OOZIE-2485 Oozie client keeps trying to use expired auth token (rkanter) OOZIE-2490 Oozie can't set hadoop.security.token.service.use_ip (rkanter) OOZIE-2474 <job-xml> is not being applied to the launcher job (rkanter) http://git-wip-us.apache.org/repos/asf/oozie/blob/50fef427/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/PrepareActionsDriver.java ---------------------------------------------------------------------- diff --git a/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/PrepareActionsDriver.java b/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/PrepareActionsDriver.java index 35e8bfe..21ae456 100644 --- a/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/PrepareActionsDriver.java +++ b/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/PrepareActionsDriver.java @@ -103,6 +103,8 @@ public class PrepareActionsDriver { docBuilderFactory.setXIncludeAware(true); // ignore all comments inside the xml file docBuilderFactory.setIgnoringComments(true); + docBuilderFactory.setExpandEntityReferences(false); + docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";, true); DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder(); InputStream is = new ByteArrayInputStream(prepareXML.getBytes("UTF-8")); return docBuilder.parse(is);
