diff options
| author | Lester Solbakken <lesters@users.noreply.github.com> | 2018-10-15 08:54:42 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-10-15 08:54:42 +0200 |
| commit | b1915fc0c68d732870b2bc68706dcf9cf6c5da29 (patch) | |
| tree | a1110f7c5f65177893e084e906663e937c77c2a0 /libmlr | |
| parent | cc32c6a456ad5349ab9e97d73ed12c95adb77cec (diff) | |
| parent | 610f41d9904de453ed3e4bfbbfb50700463fd670 (diff) | |
Merge pull request #7298 from vespa-engine/bratseth/prevent-xxe
Prevent XXE attacks
Diffstat (limited to 'libmlr')
| -rw-r--r-- | libmlr/pom.xml | 2 | ||||
| -rw-r--r-- | libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java | 12 |
2 files changed, 9 insertions, 5 deletions
diff --git a/libmlr/pom.xml b/libmlr/pom.xml index 05b17d7ba50..06fefa97c83 100644 --- a/libmlr/pom.xml +++ b/libmlr/pom.xml @@ -7,7 +7,7 @@ <packaging>jar</packaging> <version>1.0.0-SNAPSHOT</version> <name>xml2cpp</name> - <description>Fork of xml2cppConverver with support for SS3 models.</description> + <description>Fork of xml2cppConverter with support for SS3 models.</description> <dependencies> </dependencies> <build> diff --git a/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java b/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java index 1c52b5e9309..c0283efb50a 100644 --- a/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java +++ b/libmlr/src/main/java/com/yahoo/yst/libmlr/converter/parser/MlrXmlParser.java @@ -17,7 +17,6 @@ import java.util.logging.Logger; * Parses Treenet output V5 into Abstract Treenet XML File format. * * @author allenwei - * */ public class MlrXmlParser { @@ -30,16 +29,21 @@ public class MlrXmlParser { private HashSet<String> respIdSet = new HashSet<String>(10000); public MlrFunction parseXmlFile(String fileName) throws DecisionTreeXmlException { - File file = new File(fileName); - if (!file.exists()) { + if ( ! file.exists()) { String errMsg = fileName + " does not exist."; logErrors(errMsg); throw new DecisionTreeXmlException(errMsg); } DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); - DocumentBuilder docBuilder = null; + try { // XXE prevention + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + } + catch (ParserConfigurationException e) { + throw new IllegalStateException("Could not disallow-doctype-decl", e); + } + DocumentBuilder docBuilder; try { docBuilder = dbf.newDocumentBuilder(); |