github/jooq
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[#4592] Improper Restriction of XML External Entity References ('XXE') in XMLasDOMBinding

Browse Source
This commit is contained in:
lukaseder 2015-10-07 13:21:33 +02:00
parent c52c061b3a
commit 567de0a66e
1 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
jOOQ/src/main/java/org/jooq/impl/XMLasDOMBinding.java
View File

@ -47,6 +47,7 @@ import java.sql.SQLXML;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.transform.OutputKeys;
import javax.xml.transform.Result;
import javax.xml.transform.Source;
@ -159,11 +160,33 @@ public class XMLasDOMBinding extends AbstractVarcharBinding<Node> {
try {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// -----------------------------------------------------------------
// [#4592] FIX START: Prevent OWASP attack vectors
try {
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
}
catch (ParserConfigurationException ignore) {}
try {
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
}
catch (ParserConfigurationException ignore) {}
try {
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
}
catch (ParserConfigurationException ignore) {}
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
// [#4592] FIX END
// -----------------------------------------------------------------
// [#9] [#107] In order to take advantage of namespace-related DOM
// features, the internal builder should be namespace-aware
factory.setNamespaceAware(true);
DocumentBuilder builder = factory.newDocumentBuilder();
DocumentBuilder builder = factory.newDocumentBuilder();
return builder;
}
catch (Exception e) {