OSDN Git Service

Merge topic/xxe into develop
authorOlyutorskii <olyutorskii@users.osdn.me>
Wed, 3 Jul 2019 15:45:54 +0000 (00:45 +0900)
committerOlyutorskii <olyutorskii@users.osdn.me>
Wed, 3 Jul 2019 15:45:54 +0000 (00:45 +0900)
CHANGELOG.txt
src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java

index c09bcd0..970ffcb 100644 (file)
@@ -5,7 +5,7 @@ Pmd2XML 変更履歴
 
 
 X.XXX.X ()
-    * Prevent XXE vulnerabilities with XML-schema(XSD).
+    * Prevent XXE vulnerabilities from external resources.
     * Upgrade ToaGem to 3.122.2
 
 1.202.2 (2019-06-06)
index e1a87b8..8d5f989 100644 (file)
@@ -14,6 +14,7 @@ import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URL;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
@@ -25,6 +26,8 @@ import jp.sfjp.mikutoga.xml.NoopEntityResolver;
 import jp.sfjp.mikutoga.xml.SchemaUtil;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.XMLReader;
 
 /**
@@ -32,6 +35,16 @@ import org.xml.sax.XMLReader;
  */
 final class XmlInputUtil {
 
+    private static final String F_DISALLOW_DOCTYPE_DECL =
+            "http://apache.org/xml/features/disallow-doctype-decl";
+    private static final String F_EXTERNAL_GENERAL_ENTITIES =
+            "http://xml.org/sax/features/external-general-entities";
+    private static final String F_EXTERNAL_PARAMETER_ENTITIES =
+            "http://xml.org/sax/features/external-parameter-entities";
+    private static final String F_LOAD_EXTERNAL_DTD =
+            "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
+
     /**
      * 隠しコンストラクタ。
      */
@@ -111,7 +124,20 @@ final class XmlInputUtil {
         factory.setNamespaceAware(true);
         factory.setValidating(false);
         factory.setXIncludeAware(false);
-//      factory.setFeature(name, value);
+
+        try{
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setFeature(F_DISALLOW_DOCTYPE_DECL, true);
+            factory.setFeature(F_EXTERNAL_GENERAL_ENTITIES, false);
+            factory.setFeature(F_EXTERNAL_PARAMETER_ENTITIES, false);
+            factory.setFeature(F_LOAD_EXTERNAL_DTD, false);
+        }catch(   ParserConfigurationException
+                | SAXNotRecognizedException
+                | SAXNotSupportedException e
+                ){
+            assert false;
+            throw new AssertionError(e);
+        }
 
         factory.setSchema(schema);
 
@@ -134,7 +160,13 @@ final class XmlInputUtil {
             throw new AssertionError(e);
         }
 
-//      parser.setProperty(name, value);
+        try{
+            parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        }catch(SAXNotRecognizedException | SAXNotSupportedException e){
+            assert false;
+            throw new AssertionError(e);
+        }
 
         return parser;
     }