Prevent XXE attacks

2 files changed, 9 insertions, 5 deletions

diff --git a/libmlr/pom.xml b/libmlr/pom.xml
index 05b17d7ba50..06fefa97c83 100644
--- a/libmlr/pom.xml
+++ b/libmlr/pom.xml
@@ -7,7 +7,7 @@
   <packaging>jar</packaging>
   <version>1.0.0-SNAPSHOT</version>
   <name>xml2cpp</name>
-  <description>Fork of xml2cppConverver with support for SS3 models.</description>
+  <description>Fork of xml2cppConverter with support for SS3 models.</description>
   <dependencies>
   </dependencies>
   <build>
diff --git a/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java b/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java
index 1c52b5e9309..c0283efb50a 100644
--- a/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java
+++ b/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java
@@ -17,7 +17,6 @@ import java.util.logging.Logger;
  * Parses Treenet output V5 into Abstract Treenet XML File format.
  *
  * @author allenwei
- *
  */
 public class MlrXmlParser {
 
@@ -30,16 +29,21 @@ public class MlrXmlParser {
     private HashSet<String> respIdSet = new HashSet<String>(10000);
 
     public MlrFunction parseXmlFile(String fileName) throws DecisionTreeXmlException {
-
         File file = new File(fileName);
-        if (!file.exists()) {
+        if ( ! file.exists()) {
             String errMsg = fileName + " does not exist.";
             logErrors(errMsg);
             throw new DecisionTreeXmlException(errMsg);
         }
 
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
-        DocumentBuilder docBuilder = null;
+        try { // XXE prevention
+            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        }
+        catch (ParserConfigurationException e) {
+            throw new IllegalStateException("Could not disallow-doctype-decl", e);
+        }
+        DocumentBuilder docBuilder;
 
         try {
             docBuilder = dbf.newDocumentBuilder();