summaryrefslogtreecommitdiffstats
path: root/vespa-http-client
diff options
context:
space:
mode:
authorJon Bratseth <bratseth@oath.com>2018-10-14 10:49:03 +0200
committerGitHub <noreply@github.com>2018-10-14 10:49:03 +0200
commitcb943c079ba1cd53f9e70e92e9c03343e85ec780 (patch)
tree768db3cfdda94fd96b73783bde9495ca964032e3 /vespa-http-client
parente2b7c6ed50d94e83e2fc00c8716fcc68ad2a9fbb (diff)
parent4b60cf8292efa0b9dcb06217813835dc3c873698 (diff)
Merge pull request #7299 from vespa-engine/bratseth/prevent-xxe-in-xmlfeedreader
Prevent XXE
Diffstat (limited to 'vespa-http-client')
-rw-r--r--vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java15
1 files changed, 8 insertions, 7 deletions
diff --git a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java
index ba89ed550de..670b30f880d 100644
--- a/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java
+++ b/vespa-http-client/src/main/java/com/yahoo/vespa/http/client/core/XmlFeedReader.java
@@ -14,6 +14,7 @@ import java.util.concurrent.atomic.AtomicInteger;
/**
* Reads an input stream of xml, sends these to session.
+ *
* @author dybis
*/
public class XmlFeedReader {
@@ -23,12 +24,13 @@ public class XmlFeedReader {
public static void read(InputStream inputStream, FeedClient feedClient, AtomicInteger numSent) throws Exception {
- SAXParserFactory parserFactor = SAXParserFactory.newInstance();
- parserFactor.setValidating(false);
- parserFactor.setNamespaceAware(false);
- final SAXParser parser = parserFactor.newSAXParser();
+ SAXParserFactory parserFactory = SAXParserFactory.newInstance();
+ // XXE prevention:
+ parserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ parserFactory.setValidating(false);
+ parserFactory.setNamespaceAware(false);
+ SAXParser parser = parserFactory.newSAXParser();
SAXClientFeeder saxClientFeeder = new SAXClientFeeder(feedClient, numSent);
- SAXClientFeeder handler = saxClientFeeder;
InputSource inputSource = new InputSource();
inputSource.setEncoding(StandardCharsets.UTF_8.displayName());
@@ -36,8 +38,7 @@ public class XmlFeedReader {
// This is to send events about CDATA to the saxClientFeeder
// (https://docs.oracle.com/javase/tutorial/jaxp/sax/events.html)
parser.setProperty("http://xml.org/sax/properties/lexical-handler", saxClientFeeder);
-
- parser.parse(inputSource, handler);
+ parser.parse(inputSource, saxClientFeeder);
}
}