diff options
| author | Jon Bratseth <bratseth@oath.com> | 2018-10-13 10:17:45 +0200 |
|---|---|---|
| committer | Jon Bratseth <bratseth@oath.com> | 2018-10-13 10:17:45 +0200 |
| commit | 4b60cf8292efa0b9dcb06217813835dc3c873698 (patch) | |
| tree | e3c09e0508b86ef010c778f4cbdc7c17fa566c5a /vespa-http-client | |
| parent | 5066a1a539011d38f932f3e2d98a94645ed6b9a7 (diff) | |
Prevent XXE
Diffstat (limited to 'vespa-http-client')
| -rw-r--r-- | vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java index ba89ed550de..670b30f880d 100644 --- a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java +++ b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java @@ -14,6 +14,7 @@ import java.util.concurrent.atomic.AtomicInteger; /** * Reads an input stream of xml, sends these to session. + * * @author dybis */ public class XmlFeedReader { @@ -23,12 +24,13 @@ public class XmlFeedReader { public static void read(InputStream inputStream, FeedClient feedClient, AtomicInteger numSent) throws Exception { - SAXParserFactory parserFactor = SAXParserFactory.newInstance(); - parserFactor.setValidating(false); - parserFactor.setNamespaceAware(false); - final SAXParser parser = parserFactor.newSAXParser(); + SAXParserFactory parserFactory = SAXParserFactory.newInstance(); + // XXE prevention: + parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + parserFactory.setValidating(false); + parserFactory.setNamespaceAware(false); + SAXParser parser = parserFactory.newSAXParser(); SAXClientFeeder saxClientFeeder = new SAXClientFeeder(feedClient, numSent); - SAXClientFeeder handler = saxClientFeeder; InputSource inputSource = new InputSource(); inputSource.setEncoding(StandardCharsets.UTF_8.displayName()); @@ -36,8 +38,7 @@ public class XmlFeedReader { // This is to send events about CDATA to the saxClientFeeder // (https://docs.oracle.com/javase/tutorial/jaxp/sax/events.html) parser.setProperty("http://xml.org/sax/properties/lexical-handler", saxClientFeeder); - - parser.parse(inputSource, handler); + parser.parse(inputSource, saxClientFeeder); } } |