OOZIE-2489 XML parsing is vulnerable (fdenes via rkanter)

apache · Apr 12, 2016 · 50fef42 · 50fef42
1 parent b50d642
commit 50fef42
Show file tree

Hide file tree

Showing 7 changed files with 14 additions and 0 deletions.
diff --git a/client/src/main/java/org/apache/oozie/cli/OozieCLI.java b/client/src/main/java/org/apache/oozie/cli/OozieCLI.java
@@ -752,6 +752,8 @@ private Properties parse(InputStream is, Properties conf) throws IOException {
             docBuilderFactory.setXIncludeAware(true);
             // ignore all comments inside the xml file
             docBuilderFactory.setIgnoringComments(true);
+            docBuilderFactory.setExpandEntityReferences(false);
+            docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             DocumentBuilder builder = docBuilderFactory.newDocumentBuilder();
             Document doc = builder.parse(is);
             return parseDocument(doc, conf);

diff --git a/client/src/main/java/org/apache/oozie/client/OozieClient.java b/client/src/main/java/org/apache/oozie/client/OozieClient.java
@@ -650,6 +650,7 @@ public void writeToXml(Properties props, OutputStream out) throws IOException {
             DOMSource source = new DOMSource(doc);
             StreamResult result = new StreamResult(out);
             TransformerFactory transFactory = TransformerFactory.newInstance();
+            transFactory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
             Transformer transformer = transFactory.newTransformer();
             transformer.transform(source, result);
             if (getDebugMode() > 0) {

diff --git a/core/src/main/java/org/apache/oozie/util/GraphGenerator.java b/core/src/main/java/org/apache/oozie/util/GraphGenerator.java
@@ -101,6 +101,9 @@ public final void finalize() {
      */
     public void write(OutputStream out) throws Exception {
         SAXParserFactory spf = SAXParserFactory.newInstance();
+        spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        spf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         spf.setNamespaceAware(true);
         SAXParser saxParser = spf.newSAXParser();
         XMLReader xmlReader = saxParser.getXMLReader();

diff --git a/core/src/main/java/org/apache/oozie/util/XConfiguration.java b/core/src/main/java/org/apache/oozie/util/XConfiguration.java
@@ -259,6 +259,8 @@ private void parse(InputStream is) throws IOException {
             docBuilderFactory.setXIncludeAware(true);
             // ignore all comments inside the xml file
             docBuilderFactory.setIgnoringComments(true);
+            docBuilderFactory.setExpandEntityReferences(false);
+            docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             DocumentBuilder builder = docBuilderFactory.newDocumentBuilder();
             Document doc = builder.parse(is);
             parseDocument(doc);
@@ -281,6 +283,8 @@ private void parse(Reader reader) throws IOException {
             docBuilderFactory.setXIncludeAware(true);
             // ignore all comments inside the xml file
             docBuilderFactory.setIgnoringComments(true);
+            docBuilderFactory.setExpandEntityReferences(false);
+            docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
             DocumentBuilder builder = docBuilderFactory.newDocumentBuilder();
             Document doc = builder.parse(new InputSource(reader));
             parseDocument(doc);

diff --git a/core/src/main/java/org/apache/oozie/util/XmlUtils.java b/core/src/main/java/org/apache/oozie/util/XmlUtils.java
@@ -350,6 +350,7 @@ public static String writePropToString(Properties props) throws IOException {
             StringWriter stringWriter = new StringWriter();
             Result result = new StreamResult(stringWriter);
             TransformerFactory factory = TransformerFactory.newInstance();
+            factory.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
             Transformer transformer = factory.newTransformer();
             transformer.transform(source, result);
 

diff --git a/release-log.txt b/release-log.txt
@@ -1,5 +1,6 @@
 -- Oozie 4.3.0 release (trunk - unreleased)
 
+OOZIE-2489 XML parsing is vulnerable (fdenes via rkanter)
 OOZIE-2485 Oozie client keeps trying to use expired auth token (rkanter)
 OOZIE-2490 Oozie can't set hadoop.security.token.service.use_ip (rkanter)
 OOZIE-2474 <job-xml> is not being applied to the launcher job (rkanter)

diff --git a/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/PrepareActionsDriver.java b/sharelib/oozie/src/main/java/org/apache/oozie/action/hadoop/PrepareActionsDriver.java
@@ -103,6 +103,8 @@ static Document getDocumentFromXML(String prepareXML) throws ParserConfiguration
         docBuilderFactory.setXIncludeAware(true);
         // ignore all comments inside the xml file
         docBuilderFactory.setIgnoringComments(true);
+        docBuilderFactory.setExpandEntityReferences(false);
+        docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         DocumentBuilder docBuilder = docBuilderFactory.newDocumentBuilder();
         InputStream is = new ByteArrayInputStream(prepareXML.getBytes("UTF-8"));
         return docBuilder.parse(is);