diff options
author | Jon Bratseth <bratseth@oath.com> | 2018-10-13 10:14:07 +0200 |
---|---|---|
committer | Jon Bratseth <bratseth@oath.com> | 2018-10-13 10:14:07 +0200 |
commit | 610f41d9904de453ed3e4bfbbfb50700463fd670 (patch) | |
tree | b06d5fbdbaaad2bc5cd90e2d6354692acbec05a7 /libmlr | |
parent | 5066a1a539011d38f932f3e2d98a94645ed6b9a7 (diff) |
Prevent XXE attacks
Diffstat (limited to 'libmlr')
-rw-r--r-- | libmlr/pom.xml | 2 | ||||
-rw-r--r-- | libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java | 12 |
2 files changed, 9 insertions, 5 deletions
diff --git a/libmlr/pom.xml b/libmlr/pom.xml index 05b17d7ba50..06fefa97c83 100644 --- a/libmlr/pom.xml +++ b/libmlr/pom.xml @@ -7,7 +7,7 @@ <packaging>jar</packaging> <version>1.0.0-SNAPSHOT</version> <name>xml2cpp</name> - <description>Fork of xml2cppConverver with support for SS3 models.</description> + <description>Fork of xml2cppConverter with support for SS3 models.</description> <dependencies> </dependencies> <build> diff --git a/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java b/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java index 1c52b5e9309..c0283efb50a 100644 --- a/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java +++ b/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java @@ -17,7 +17,6 @@ import java.util.logging.Logger; * Parses Treenet output V5 into Abstract Treenet XML File format. * * @author allenwei - * */ public class MlrXmlParser { @@ -30,16 +29,21 @@ public class MlrXmlParser { private HashSet<String> respIdSet = new HashSet<String>(10000); public MlrFunction parseXmlFile(String fileName) throws DecisionTreeXmlException { - File file = new File(fileName); - if (!file.exists()) { + if ( ! file.exists()) { String errMsg = fileName + " does not exist."; logErrors(errMsg); throw new DecisionTreeXmlException(errMsg); } DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder docBuilder = null; + try { // XXE prevention + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + } + catch (ParserConfigurationException e) { + throw new IllegalStateException("Could not disallow-doctype-decl", e); + } + DocumentBuilder docBuilder; try { docBuilder = dbf.newDocumentBuilder(); |