Prevent XXE vulnerabilities from external resources.

[mikutoga/Pmd2XML.git] / src / main / java / jp / sfjp / mikutoga / pmd2xml / XmlInputUtil.java

diff --git a/src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java b/src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java
index e1a87b8..8d5f989 100644 (file)
--- a/src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java
+++ b/src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java
@@ -14,6 +14,7 @@ import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URL;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URL;

+import javax.xml.XMLConstants;

 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;


@@ -25,6 +26,8 @@ import jp.sfjp.mikutoga.xml.NoopEntityResolver;
 import jp.sfjp.mikutoga.xml.SchemaUtil;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import jp.sfjp.mikutoga.xml.SchemaUtil;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;

+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;

 import org.xml.sax.XMLReader;
 
 /**
 import org.xml.sax.XMLReader;
 
 /**


@@ -32,6 +35,16 @@ import org.xml.sax.XMLReader;
  */
 final class XmlInputUtil {
 
  */
 final class XmlInputUtil {
 

+    private static final String F_DISALLOW_DOCTYPE_DECL =
+            "http://apache.org/xml/features/disallow-doctype-decl";
+    private static final String F_EXTERNAL_GENERAL_ENTITIES =
+            "http://xml.org/sax/features/external-general-entities";
+    private static final String F_EXTERNAL_PARAMETER_ENTITIES =
+            "http://xml.org/sax/features/external-parameter-entities";
+    private static final String F_LOAD_EXTERNAL_DTD =
+            "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
+

     /**
      * 隠しコンストラクタ。
      */
     /**
      * 隠しコンストラクタ。
      */


@@ -111,7 +124,20 @@ final class XmlInputUtil {
         factory.setNamespaceAware(true);
         factory.setValidating(false);
         factory.setXIncludeAware(false);
         factory.setNamespaceAware(true);
         factory.setValidating(false);
         factory.setXIncludeAware(false);

-//      factory.setFeature(name, value);
+
+        try{
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setFeature(F_DISALLOW_DOCTYPE_DECL, true);
+            factory.setFeature(F_EXTERNAL_GENERAL_ENTITIES, false);
+            factory.setFeature(F_EXTERNAL_PARAMETER_ENTITIES, false);
+            factory.setFeature(F_LOAD_EXTERNAL_DTD, false);
+        }catch(   ParserConfigurationException
+                | SAXNotRecognizedException
+                | SAXNotSupportedException e
+                ){
+            assert false;
+            throw new AssertionError(e);
+        }

 
         factory.setSchema(schema);
 
 
         factory.setSchema(schema);
 


@@ -134,7 +160,13 @@ final class XmlInputUtil {
             throw new AssertionError(e);
         }
 
             throw new AssertionError(e);
         }
 

-//      parser.setProperty(name, value);
+        try{
+            parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        }catch(SAXNotRecognizedException | SAXNotSupportedException e){
+            assert false;
+            throw new AssertionError(e);
+        }

 
         return parser;
     }
 
         return parser;
     }