[
https://issues.apache.org/jira/browse/RANGER-5477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bhavesh Amre resolved RANGER-5477.
----------------------------------
Fix Version/s: 3.0.0
Resolution: Fixed
Closed.
> XML External Entity Injection Security issue in Ranger
> ------------------------------------------------------
>
> Key: RANGER-5477
> URL: https://issues.apache.org/jira/browse/RANGER-5477
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Dhaval Shah
> Assignee: Bhavesh Amre
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Scan has identified XXE as a critical finding.
> {code:java}
> factory.setFeature("http://xml.org/sax/features/external-general-entities";,
> false);
> factory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
> false);
> factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl";,
> true);{code}
>
> {code:java}
> TransformerFactory tfactory = TransformerFactory.newInstance();
> tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING,
> Boolean.TRUE);
> Transformer transformer = tfactory.newTransformer();
> transformer.setOutputProperty(OutputKeys.INDENT, "yes");
>
> transformer.setOutputProperty("{http://xml.apache.org/xslt}indent-amount";,
> "4");
>
> DOMSource source = new DOMSource(doc);
> FileOutputStream out = new FileOutputStream(outFile);
> StreamResult result = new StreamResult(out);
> transformer.transform(source, result);
> out.close(); {code}
> file:
> h4.
> /agents-installer/src/main/java/org/apache/ranger/utils/install/XmlConfigChanger.java
> line number.
> For more information, access fortify at below url:
> [https://re-fortify.infra.cloudera.com/ssc/html/ssc/]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
