You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ratis.apache.org by ru...@apache.org on 2020/12/03 01:14:28 UTC
[incubator-ratis] branch master updated: RATIS-953. XML Parsers
should not be vulnerable to XXE attacks (#126)
This is an automated email from the ASF dual-hosted git repository.
runzhiwang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-ratis.git
The following commit(s) were added to refs/heads/master by this push:
new 02caace RATIS-953. XML Parsers should not be vulnerable to XXE attacks (#126)
02caace is described below
commit 02caace296f4414de3eda9f4469dbd806ca594b1
Author: Doroszlai, Attila <64...@users.noreply.github.com>
AuthorDate: Thu Dec 3 02:14:20 2020 +0100
RATIS-953. XML Parsers should not be vulnerable to XXE attacks (#126)
* RATIS-953. XML Parsers should not be vulnerable to XXE attacks
* RATIS-953. Also explicitly disable external DTD/schema
* trigger new CI check
---
.../main/java/org/apache/ratis/conf/RaftProperties.java | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/ratis-common/src/main/java/org/apache/ratis/conf/RaftProperties.java b/ratis-common/src/main/java/org/apache/ratis/conf/RaftProperties.java
index 928ee92..db5649c 100644
--- a/ratis-common/src/main/java/org/apache/ratis/conf/RaftProperties.java
+++ b/ratis-common/src/main/java/org/apache/ratis/conf/RaftProperties.java
@@ -33,6 +33,7 @@ import org.w3c.dom.NodeList;
import org.w3c.dom.Text;
import org.xml.sax.SAXException;
+import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
@@ -1138,6 +1139,9 @@ public class RaftProperties {
name = wrapper.getName();
DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
//ignore all comments inside the xml file
docBuilderFactory.setIgnoringComments(true);
@@ -1309,6 +1313,9 @@ public class RaftProperties {
DOMSource source = new DOMSource(doc);
StreamResult result = new StreamResult(out);
TransformerFactory transFactory = TransformerFactory.newInstance();
+ transFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ transFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
Transformer transformer = transFactory.newTransformer();
// Important to not hold Configuration log while writing result, since
@@ -1326,8 +1333,11 @@ public class RaftProperties {
private synchronized Document asXmlDocument() throws IOException {
Document doc;
try {
- doc =
- DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
+ DocumentBuilderFactory docBuilderFactory = DocumentBuilderFactory.newInstance();
+ docBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ docBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+ doc = docBuilderFactory.newDocumentBuilder().newDocument();
} catch (ParserConfigurationException pe) {
throw new IOException(pe);
}