Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #97 from radiovideo/XXE-vulnerability-fix
Fix DocumentBuilderFactory XXE vulnerability
  • Loading branch information
drbgfc committed Jul 29, 2021
2 parents 4aa1cc0 + 1fc66d1 commit fbd8ea1
Showing 1 changed file with 10 additions and 1 deletion.
Expand Up @@ -23,6 +23,7 @@

import javax.persistence.EntityManagerFactory;
import javax.sql.DataSource;
import javax.xml.XMLConstants;
import javax.xml.parsers.DocumentBuilder;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
Expand Down Expand Up @@ -132,7 +133,15 @@ public static List<ConfiguredExpression> vocabularyValidationConfigurations(Vali

@Bean
public DocumentBuilder documentBuilder() throws ParserConfigurationException {
DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory domFactory = DocumentBuilderFactory.newInstance("com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderFactoryImpl", ClassLoader.getSystemClassLoader());
domFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
domFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
domFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
domFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
domFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
domFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
domFactory.setXIncludeAware(false);
domFactory.setExpandEntityReferences(false);
domFactory.setNamespaceAware(true);
return domFactory.newDocumentBuilder();
}
Expand Down

0 comments on commit fbd8ea1

Please sign in to comment.