Dhaval Shah created RANGER-5477:
-----------------------------------
Summary: XML External Entity Injection Security issue in Ranger
Key: RANGER-5477
URL: https://issues.apache.org/jira/browse/RANGER-5477
Project: Ranger
Issue Type: Bug
Components: Ranger
Reporter: Dhaval Shah
Assignee: Bhavesh Amre
Scan has identified XXE as a critical finding.
{code:java}
set factory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
true);{code}
{code:java}
TransformerFactory tfactory = TransformerFactory.newInstance();
tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
Boolean.TRUE);
Transformer transformer = tfactory.newTransformer();
transformer.setOutputProperty(OutputKeys.INDENT, "yes");
transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";, "4");
DOMSource source = new DOMSource(doc);
FileOutputStream out = new FileOutputStream(outFile);
StreamResult result = new StreamResult(out);
transformer.transform(source, result);
out.close(); {code}
file:
h4.
/agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
line number.
For more information, access fortify at below url:
[https://re-fortify.infra.cloudera.com/ssc/html/ssc/]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
