[SECURITY-2394] Prevent XXE (#205)

Co-authored-by: Alexander Straube <alexander.straube@gmail.com>
jenkinsci · Apr 7, 2022 · b0b4e74 · b0b4e74 · aag1i · May 23, 2022
1 parent 13371ad
commit b0b4e74
Show file tree

Hide file tree

Showing 4 changed files with 4 additions and 0 deletions.
diff --git a/src/main/java/hudson/plugins/performance/parsers/JMeterParser.java b/src/main/java/hudson/plugins/performance/parsers/JMeterParser.java
@@ -90,6 +90,7 @@ public static boolean isXmlFile(File file) throws IOException {
      */
     PerformanceReport parseXml(File reportFile) throws Exception {
         final SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         factory.setValidating(false);
         factory.setNamespaceAware(false);
 

diff --git a/src/main/java/hudson/plugins/performance/parsers/JUnitParser.java b/src/main/java/hudson/plugins/performance/parsers/JUnitParser.java
@@ -51,6 +51,7 @@ public String getDefaultGlobPattern() {
     PerformanceReport parse(File reportFile) throws Exception {
 
         final SAXParserFactory factory = SAXParserFactory.newInstance();
+        factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         factory.setValidating(false);
         factory.setNamespaceAware(false);
 

diff --git a/src/main/java/hudson/plugins/performance/parsers/ParserDetector.java b/src/main/java/hudson/plugins/performance/parsers/ParserDetector.java
@@ -144,6 +144,7 @@ private static String detectXMLFileType(String reportPath) throws IOException {
     @VisibleForTesting
     protected static String detectXMLFileType(final InputStream in) throws XMLStreamException {
         XMLInputFactory inputFactory = XMLInputFactory.newInstance();
+        inputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
         XMLEventReader eventReader = inputFactory.createXMLEventReader(in);
 
         while (eventReader.hasNext()) {

diff --git a/src/main/java/hudson/plugins/performance/parsers/TaurusParser.java b/src/main/java/hudson/plugins/performance/parsers/TaurusParser.java
@@ -56,6 +56,7 @@ private PerformanceReport readFromXML(File reportFile) throws Exception {
 
         DocumentBuilderFactory dbFactory
                 = DocumentBuilderFactory.newInstance();
+        dbFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
         DocumentBuilder dBuilder = dbFactory.newDocumentBuilder();
         Document doc = dBuilder.parse(reportFile);
         doc.getDocumentElement().normalize();