Skip to content
Permalink
Browse files Browse the repository at this point in the history
5342: fix XML external entity injection
  • Loading branch information
fcorneli committed Apr 26, 2016
1 parent b0a59e5 commit ec42383
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 9 deletions.
Expand Up @@ -47,6 +47,7 @@
import org.w3c.dom.Element;
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;
import org.xml.sax.SAXParseException;

import be.e_contract.dssp.client.exception.ClientRuntimeException;
import be.e_contract.dssp.client.exception.SubjectNotAuthorizedException;
Expand Down Expand Up @@ -115,25 +116,32 @@ public static SignResponseVerificationResult checkSignResponse(String signRespon
} catch (Base64DecodingException e) {
throw new SecurityException("no Base64");
}

// DOM parsing
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
InputStream signResponseInputStream = new ByteArrayInputStream(decodedSignResponseMessage);
Document signResponseDocument;
try {
signResponseDocument = documentBuilder.parse(signResponseInputStream);
} catch (SAXParseException e) {
throw new SecurityException("no valid SignResponse XML");
}

// JAXB parsing
JAXBContext jaxbContext = JAXBContext.newInstance(ObjectFactory.class,
be.e_contract.dssp.ws.jaxb.dss.async.ObjectFactory.class,
be.e_contract.dssp.ws.jaxb.wsa.ObjectFactory.class, be.e_contract.dssp.ws.jaxb.wsu.ObjectFactory.class);
Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
SignResponse signResponse;
try {
signResponse = (SignResponse) unmarshaller.unmarshal(new ByteArrayInputStream(decodedSignResponseMessage));
signResponse = (SignResponse) unmarshaller.unmarshal(signResponseDocument);
} catch (UnmarshalException e) {
throw new SecurityException("no valid SignResponse XML");
}

// DOM parsing
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
InputStream signResponseInputStream = new ByteArrayInputStream(decodedSignResponseMessage);
Document signResponseDocument = documentBuilder.parse(signResponseInputStream);

// signature verification
NodeList signatureNodeList = signResponseDocument.getElementsByTagNameNS("http://www.w3.org/2000/09/xmldsig#",
"Signature");
Expand Down
Expand Up @@ -28,6 +28,10 @@
import javax.xml.bind.JAXBElement;
import javax.xml.bind.Unmarshaller;
import javax.xml.namespace.QName;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;

import org.w3c.dom.Document;

import be.e_contract.dssp.ws.jaxb.dssp.DigitalSignatureServiceDescriptorType;
import be.e_contract.dssp.ws.jaxb.metadata.EntityDescriptorType;
Expand All @@ -46,6 +50,8 @@
*/
public class DigitalSignatureServiceMetadata implements Serializable {

private static final long serialVersionUID = 1L;

private final static QName _X509DataTypeX509Certificate_QNAME = new QName("http://www.w3.org/2000/09/xmldsig#",
"X509Certificate");

Expand All @@ -63,10 +69,16 @@ public class DigitalSignatureServiceMetadata implements Serializable {
* @throws Exception
*/
public DigitalSignatureServiceMetadata(String metadataLocation) throws Exception {
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder();
Document document = documentBuilder.parse(new URL(metadataLocation).openStream());

JAXBContext jaxbContext = JAXBContext.newInstance(ObjectFactory.class);
Unmarshaller unmarshaller = jaxbContext.createUnmarshaller();
JAXBElement<EntityDescriptorType> entityDescriptorElement = (JAXBElement<EntityDescriptorType>) unmarshaller
.unmarshal(new URL(metadataLocation));
.unmarshal(document);
EntityDescriptorType entityDescriptor = entityDescriptorElement.getValue();
List<RoleDescriptorType> roleDescriptors = entityDescriptor
.getRoleDescriptorOrIDPSSODescriptorOrSPSSODescriptor();
Expand Down

0 comments on commit ec42383

Please sign in to comment.