diff options
author | Martin Polden <mpolden@mpolden.no> | 2022-07-01 09:19:43 +0200 |
---|---|---|
committer | Martin Polden <mpolden@mpolden.no> | 2022-07-01 09:21:33 +0200 |
commit | 58d85cd3b93b42e973ff4e15ff4f4bf19e512189 (patch) | |
tree | fdbac0f44a1674bfebc4cb4575d0845cc1e5443c /vespajlib | |
parent | 612f7e017b627d9b95758199fd1820446ed88f41 (diff) |
Disable external entity processing
Diffstat (limited to 'vespajlib')
-rw-r--r-- | vespajlib/src/main/java/com/yahoo/text/XML.java | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/vespajlib/src/main/java/com/yahoo/text/XML.java b/vespajlib/src/main/java/com/yahoo/text/XML.java index bee0ee72281..6cc042123dc 100644 --- a/vespajlib/src/main/java/com/yahoo/text/XML.java +++ b/vespajlib/src/main/java/com/yahoo/text/XML.java @@ -470,8 +470,13 @@ public class XML { // Disable include directives. If enabled this allows inclusion of any resource, such as file:/// and // http:///, and these are read even if the document eventually fails to parse factory.setXIncludeAware(false); - // Prevent XXE + // Prevent XXE by disabling DOCTYPE declarations factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + // Disable any kind of external entities. These likely cannot be exploited when doctype is disallowed, but + // it's better to leave them disabled in any case. See + // https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); return factory.newDocumentBuilder(); } catch (ParserConfigurationException e) { throw new RuntimeException("Could not create an XML builder", e); |