From: Olyutorskii <olyutorskii@users.osdn.me>
Date: Wed, 3 Jul 2019 15:37:56 +0000 (+0900)
Subject: Prevent XXE vulnerabilities from external resources.
X-Git-Tag: release-1.203.2^2~5^2
X-Git-Url: http://git.osdn.net/view?p=mikutoga%2FPmd2XML.git;a=commitdiff_plain;h=b411e754da897e4652364a394c0d077d8df3b78f

Prevent XXE vulnerabilities from external resources.
---

diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index c09bcd0..970ffcb 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -5,7 +5,7 @@ Pmd2XML å¤æ´å±¥æ­´
 
 
 X.XXX.X ()
-    * Prevent XXE vulnerabilities with XML-schema(XSD).
+    * Prevent XXE vulnerabilities from external resources.
     * Upgrade ToaGem to 3.122.2
 
 1.202.2 (2019-06-06)
diff --git a/src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java b/src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java
index e1a87b8..8d5f989 100644
--- a/src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java
+++ b/src/main/java/jp/sfjp/mikutoga/pmd2xml/XmlInputUtil.java
@@ -14,6 +14,7 @@ import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URI;
 import java.net.URL;
+import javax.xml.XMLConstants;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
@@ -25,6 +26,8 @@ import jp.sfjp.mikutoga.xml.NoopEntityResolver;
 import jp.sfjp.mikutoga.xml.SchemaUtil;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
+import org.xml.sax.SAXNotRecognizedException;
+import org.xml.sax.SAXNotSupportedException;
 import org.xml.sax.XMLReader;
 
 /**
@@ -32,6 +35,16 @@ import org.xml.sax.XMLReader;
  */
 final class XmlInputUtil {
 
+    private static final String F_DISALLOW_DOCTYPE_DECL =
+            "http://apache.org/xml/features/disallow-doctype-decl";
+    private static final String F_EXTERNAL_GENERAL_ENTITIES =
+            "http://xml.org/sax/features/external-general-entities";
+    private static final String F_EXTERNAL_PARAMETER_ENTITIES =
+            "http://xml.org/sax/features/external-parameter-entities";
+    private static final String F_LOAD_EXTERNAL_DTD =
+            "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
+
     /**
      * é ãã³ã³ã¹ãã©ã¯ã¿ã
      */
@@ -111,7 +124,20 @@ final class XmlInputUtil {
         factory.setNamespaceAware(true);
         factory.setValidating(false);
         factory.setXIncludeAware(false);
-//      factory.setFeature(name, value);
+
+        try{
+            factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            factory.setFeature(F_DISALLOW_DOCTYPE_DECL, true);
+            factory.setFeature(F_EXTERNAL_GENERAL_ENTITIES, false);
+            factory.setFeature(F_EXTERNAL_PARAMETER_ENTITIES, false);
+            factory.setFeature(F_LOAD_EXTERNAL_DTD, false);
+        }catch(   ParserConfigurationException
+                | SAXNotRecognizedException
+                | SAXNotSupportedException e
+                ){
+            assert false;
+            throw new AssertionError(e);
+        }
 
         factory.setSchema(schema);
 
@@ -134,7 +160,13 @@ final class XmlInputUtil {
             throw new AssertionError(e);
         }
 
-//      parser.setProperty(name, value);
+        try{
+            parser.setProperty(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            parser.setProperty(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
+        }catch(SAXNotRecognizedException | SAXNotSupportedException e){
+            assert false;
+            throw new AssertionError(e);
+        }
 
         return parser;
     }