Skip to content

Commit

Permalink
Revert "Revert "Revert "Configure parser factories to prevent XXE att…
Browse files Browse the repository at this point in the history
…acks - 4thlineGH-9"""

This reverts commit 29e6e56.

and revert again since we need sax to list files
  • Loading branch information
courville committed May 6, 2023
1 parent 29e6e56 commit eb0825f
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 80 deletions.
9 changes: 0 additions & 9 deletions xml/src/main/java/org/seamless/xml/DOMParser.java
Original file line number Diff line number Diff line change
Expand Up @@ -136,15 +136,6 @@ public DocumentBuilderFactory createFactory(boolean validating) throws ParserExc
factory.setFeature("http://apache.org/xml/features/xinclude/fixup-base-uris", false);
factory.setFeature("http://apache.org/xml/features/xinclude/fixup-language", false);

// Configure parser to prevent XXE attacks
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);


// Good idea to set a schema when you want to validate! Tell me, how does it work
// without a schema?!
factory.setSchema(getSchema());
Expand Down
21 changes: 7 additions & 14 deletions xml/src/main/java/org/seamless/xml/SAXParser.java
Original file line number Diff line number Diff line change
Expand Up @@ -65,23 +65,16 @@ public void setContentHandler(ContentHandler handler) {

protected XMLReader create() {
try {
SAXParserFactory factory = SAXParserFactory.newInstance();

// Configure factory to prevent XXE attacks
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
factory.setXIncludeAware(false);

factory.setNamespaceAware(true);

if (getSchemaSources() != null) {
// Jump through all the hoops and create a validating reader
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setNamespaceAware(true);
factory.setSchema(createSchema(getSchemaSources()));
XMLReader xmlReader = factory.newSAXParser().getXMLReader();
xmlReader.setErrorHandler(getErrorHandler());
return xmlReader;
}

XMLReader xmlReader = factory.newSAXParser().getXMLReader();
xmlReader.setErrorHandler(getErrorHandler());
return xmlReader;
return XMLReaderFactory.createXMLReader();
} catch (Exception ex) {
throw new RuntimeException(ex);
}
Expand Down
50 changes: 0 additions & 50 deletions xml/src/test/java/org/seamless/test/xml/SAXParserTest.java

This file was deleted.

7 changes: 0 additions & 7 deletions xml/src/test/resources/org/seamless/test/xml/xxe.xml

This file was deleted.

0 comments on commit eb0825f

Please sign in to comment.