-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable DTDs for XML parsing #6094
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 0 of 1 files reviewed, 1 unresolved discussion (waiting on @progwriter and @ratulm)
projects/batfish/src/main/java/org/batfish/representation/aws/VpnConnection.java, line 261 at r1 (raw file):
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); // safe parser configuration -- disallows doctypes factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
don't you (also?) need: setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
Codecov Report
@@ Coverage Diff @@
## master #6094 +/- ##
=========================================
Coverage 72.68% 72.69%
- Complexity 34649 34650 +1
=========================================
Files 2815 2815
Lines 141416 141417 +1
Branches 16968 16968
=========================================
+ Hits 102794 102798 +4
+ Misses 30452 30450 -2
+ Partials 8170 8169 -1
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewable status: 0 of 1 files reviewed, 1 unresolved discussion (waiting on @progwriter)
projects/batfish/src/main/java/org/batfish/representation/aws/VpnConnection.java, line 261 at r1 (raw file):
Previously, progwriter (Victor Heorhiadi) wrote…
don't you (also?) need:
setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
Do I?
I was getting info from https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html.
I couldn't really tell if external-dtd needs to be disabled when i've disabled all dtds. I don't really know this stuff. do you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed 1 of 1 files at r1.
Reviewable status:complete! all files reviewed, all discussions resolved
projects/batfish/src/main/java/org/batfish/representation/aws/VpnConnection.java, line 261 at r1 (raw file):
Previously, ratulm wrote…
Do I?
I was getting info from https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html.
I couldn't really tell if external-dtd needs to be disabled when i've disabled all dtds. I don't really know this stuff. do you?
still figuring it out. was looking here: https://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
and here https://xerces.apache.org/xerces2-j/features.html#nonvalidating.load-external-dtd
Looks like disallow-doctype-decl
does take precedence, but will crash if xml contains a DOCTYPE declaration. assuming aws won't send us xml like that.
No description provided.