diff options
author | Yiheng Cao <65160922+Crispy-fried-chicken@users.noreply.github.com> | 2024-02-02 23:53:21 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-02-02 15:53:21 +0000 |
commit | 848b0b14d5a9abcbd2be66f62e3b6caa0dc61d9c (patch) | |
tree | 8e2062bc02d059917a290b7f43d175bfcea18a75 | |
parent | 00a317ad73c27dca50a1a0c01755cc54d86526ea (diff) | |
download | nullaway-848b0b14d5a9abcbd2be66f62e3b6caa0dc61d9c.tar.gz |
update for missing a couple possibly unsafe xml parser (#902)
Fixes #901
---------
Co-authored-by: Manu Sridharan <msridhar@gmail.com>
-rw-r--r-- | nullaway/src/main/java/com/uber/nullaway/fixserialization/FixSerializationConfig.java | 2 | ||||
-rw-r--r-- | nullaway/src/main/java/com/uber/nullaway/fixserialization/XMLUtil.java | 25 |
2 files changed, 25 insertions, 2 deletions
diff --git a/nullaway/src/main/java/com/uber/nullaway/fixserialization/FixSerializationConfig.java b/nullaway/src/main/java/com/uber/nullaway/fixserialization/FixSerializationConfig.java index 5ffca63..769c9ea 100644 --- a/nullaway/src/main/java/com/uber/nullaway/fixserialization/FixSerializationConfig.java +++ b/nullaway/src/main/java/com/uber/nullaway/fixserialization/FixSerializationConfig.java @@ -100,7 +100,7 @@ public class FixSerializationConfig { public FixSerializationConfig(String configFilePath, int serializationVersion) { Document document; try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory factory = XMLUtil.safeDocumentBuilderFactory(); DocumentBuilder builder = factory.newDocumentBuilder(); document = builder.parse(Files.newInputStream(Paths.get(configFilePath))); document.normalize(); diff --git a/nullaway/src/main/java/com/uber/nullaway/fixserialization/XMLUtil.java b/nullaway/src/main/java/com/uber/nullaway/fixserialization/XMLUtil.java index 91d45cd..9c0154a 100644 --- a/nullaway/src/main/java/com/uber/nullaway/fixserialization/XMLUtil.java +++ b/nullaway/src/main/java/com/uber/nullaway/fixserialization/XMLUtil.java @@ -24,6 +24,7 @@ package com.uber.nullaway.fixserialization; import java.io.File; import javax.annotation.Nullable; +import javax.xml.XMLConstants; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.parsers.ParserConfigurationException; @@ -95,13 +96,35 @@ public class XMLUtil { } /** + * Returns a secure DocumentBuilderFactory object for parsing XML documents. By setting a series + * of security features, it helps prevent common XML injection attacks and enhances the security + * of XML document parsing. + * + * @return A secure DocumentBuilderFactory object + */ + public static DocumentBuilderFactory safeDocumentBuilderFactory() { + DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); + try { + dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); + dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + dbf.setFeature("http://apache.org/xml/features/dom/create-entity-ref-nodes", false); + dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + } catch (ParserConfigurationException e) { + throw new RuntimeException("Error happened in build doc.", e); + } + return dbf; + } + + /** * Writes the {@link FixSerializationConfig} in {@code XML} format. * * @param config Config file to write. * @param path Path to write the config at. */ public static void writeInXMLFormat(FixSerializationConfig config, String path) { - DocumentBuilderFactory docFactory = DocumentBuilderFactory.newInstance(); + DocumentBuilderFactory docFactory = safeDocumentBuilderFactory(); try { DocumentBuilder docBuilder = docFactory.newDocumentBuilder(); Document doc = docBuilder.newDocument(); |