diff options
author | Jon Bratseth <bratseth@oath.com> | 2018-10-14 10:49:03 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-14 10:49:03 +0200 |
commit | cb943c079ba1cd53f9e70e92e9c03343e85ec780 (patch) | |
tree | 768db3cfdda94fd96b73783bde9495ca964032e3 /vespa-http-client | |
parent | e2b7c6ed50d94e83e2fc00c8716fcc68ad2a9fbb (diff) | |
parent | 4b60cf8292efa0b9dcb06217813835dc3c873698 (diff) |
Merge pull request #7299 from vespa-engine/bratseth/prevent-xxe-in-xmlfeedreader
Prevent XXE
Diffstat (limited to 'vespa-http-client')
-rw-r--r-- | vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java index ba89ed550de..670b30f880d 100644 --- a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java +++ b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java @@ -14,6 +14,7 @@ import java.util.concurrent.atomic.AtomicInteger; /** * Reads an input stream of xml, sends these to session. + * * @author dybis */ public class XmlFeedReader { @@ -23,12 +24,13 @@ public class XmlFeedReader { public static void read(InputStream inputStream, FeedClient feedClient, AtomicInteger numSent) throws Exception { - SAXParserFactory parserFactor = SAXParserFactory.newInstance(); - parserFactor.setValidating(false); - parserFactor.setNamespaceAware(false); - final SAXParser parser = parserFactor.newSAXParser(); + SAXParserFactory parserFactory = SAXParserFactory.newInstance(); + // XXE prevention: + parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + parserFactory.setValidating(false); + parserFactory.setNamespaceAware(false); + SAXParser parser = parserFactory.newSAXParser(); SAXClientFeeder saxClientFeeder = new SAXClientFeeder(feedClient, numSent); - SAXClientFeeder handler = saxClientFeeder; InputSource inputSource = new InputSource(); inputSource.setEncoding(StandardCharsets.UTF_8.displayName()); @@ -36,8 +38,7 @@ public class XmlFeedReader { // This is to send events about CDATA to the saxClientFeeder // (https://docs.oracle.com/javase/tutorial/jaxp/sax/events.html) parser.setProperty("http://xml.org/sax/properties/lexical-handler", saxClientFeeder); - - parser.parse(inputSource, handler); + parser.parse(inputSource, saxClientFeeder); } } |