This is an automated email from the ASF dual-hosted git repository.
runzhiwang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-ratis.git
The following commit(s) were added to refs/heads/master by this push:
new 02caace RATIS-953. XML Parsers should not be vulnerable to XXE
attacks (#126)
02caace is described below
commit 02caace296f4414de3eda9f4469dbd806ca594b1
Author: Doroszlai, Attila <[email protected]>
AuthorDate: Thu Dec 3 02:14:20 2020 +0100
RATIS-953. XML Parsers should not be vulnerable to XXE attacks (#126)
* RATIS-953. XML Parsers should not be vulnerable to XXE attacks
* RATIS-953. Also explicitly disable external DTD/schema
* trigger new CI check
---
.../main/java/org/apache/ratis/conf/RaftProperties.java | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git
a/ratis-common/src/main/java/org/apache/ratis/conf/RaftProperties.java
b/ratis-common/src/main/java/org/apache/ratis/conf/RaftProperties.java
index 928ee92..db5649c 100644
--- a/ratis-common/src/main/java/org/apache/ratis/conf/RaftProperties.java
+++ b/ratis-common/src/main/java/org/apache/ratis/conf/RaftProperties.java
@@ -33,6 +33,7 @@ import org.w3c.dom.NodeList;
import org.w3c.dom.Text;
import org.xml.sax.SAXException;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -1138,6 +1139,9 @@ public class RaftProperties {
name = wrapper.getName();
DocumentBuilderFactory docBuilderFactory =
DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
true);
+ docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
//ignore all comments inside the xml file
docBuilderFactory.setIgnoringComments(true);
@@ -1309,6 +1313,9 @@ public class RaftProperties {
DOMSource source = new DOMSource(doc);
StreamResult result = new StreamResult(out);
TransformerFactory transFactory = TransformerFactory.newInstance();
+ transFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
Transformer transformer = transFactory.newTransformer();
// Important to not hold Configuration log while writing result, since
@@ -1326,8 +1333,11 @@ public class RaftProperties {
private synchronized Document asXmlDocument() throws IOException {
Document doc;
try {
- doc =
-
DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+ DocumentBuilderFactory docBuilderFactory =
DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
true);
+ docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+ doc = docBuilderFactory.newDocumentBuilder().newDocument();
} catch (ParserConfigurationException pe) {
throw new IOException(pe);
}
