Skip to content

Commit

Permalink
fixes XML eXternal Entity injection (XXE)
Browse files Browse the repository at this point in the history
  • Loading branch information
wfro64 committed Oct 20, 2023
1 parent bc3980f commit ce7a71d
Showing 1 changed file with 28 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -221,16 +221,40 @@ protected String getCleanPath(
}

/**
* Return JAXP document builder instance.
* Get XML document builder.
*
* @return
* @throws ServiceException
*/
protected DocumentBuilder getDocumentBuilder(
) throws ServiceException {
DocumentBuilder documentBuilder = null;
DocumentBuilderFactory documentBuilderFactory = null;
documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
// Flags required to prevent XML eXternal Entity injection (XXE)
try {
documentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
} catch (ParserConfigurationException e) {
throw new ServiceException(e);
}
try {
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
} catch (ParserConfigurationException e) {
throw new ServiceException(e);
}
try {
documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
} catch (ParserConfigurationException e) {
throw new ServiceException(e);
}
try {
documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
} catch (ParserConfigurationException e) {
throw new ServiceException(e);
}
try {
documentBuilderFactory = DocumentBuilderFactory.newInstance();
documentBuilderFactory.setNamespaceAware(true);
documentBuilder = documentBuilderFactory.newDocumentBuilder();
documentBuilder = documentBuilderFactory.newDocumentBuilder();
} catch (ParserConfigurationException e) {
throw new ServiceException(e);
}
Expand Down

0 comments on commit ce7a71d

Please sign in to comment.