diff options
author | Morten Tokle <mortent@yahooinc.com> | 2022-12-08 08:58:26 +0100 |
---|---|---|
committer | Morten Tokle <mortent@yahooinc.com> | 2022-12-08 08:58:26 +0100 |
commit | 10f52b59bd196ad99d2c2343640967fb25470374 (patch) | |
tree | 301401534049043bdc6d6232b3c2816bb06f7d6a /searchlib | |
parent | b6b016d92875d8a6e4aff7257979c0fd58467c5a (diff) |
Add more xxe preventions
Diffstat (limited to 'searchlib')
-rw-r--r-- | searchlib/src/main/java/com/yahoo/searchlib/gbdt/XmlHelper.java | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/searchlib/src/main/java/com/yahoo/searchlib/gbdt/XmlHelper.java b/searchlib/src/main/java/com/yahoo/searchlib/gbdt/XmlHelper.java index 9780d4b0c17..d50a2e9773d 100644 --- a/searchlib/src/main/java/com/yahoo/searchlib/gbdt/XmlHelper.java +++ b/searchlib/src/main/java/com/yahoo/searchlib/gbdt/XmlHelper.java @@ -41,12 +41,24 @@ abstract class XmlHelper { public static Element parseXmlStream(InputStream in) throws ParserConfigurationException, IOException, SAXException { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = createDocumentBuilderFactory(); DocumentBuilder builder = factory.newDocumentBuilder(); Document doc = builder.parse(in); return doc.getDocumentElement(); } + private static DocumentBuilderFactory createDocumentBuilderFactory() throws ParserConfigurationException { + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + factory.setXIncludeAware(false); + + // XXE prevention + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + return factory; + } + public static String getAttributeText(Node node, String name) { Node valueNode = node.getAttributes().getNamedItem(name); if (valueNode == null) { |