diff --git a/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java b/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java index ab3b819fb..737c5b8a5 100644 --- a/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java +++ b/quartz-core/src/main/java/org/quartz/xml/XMLSchedulingDataProcessor.java @@ -174,6 +174,13 @@ protected void initDocumentParser() throws ParserConfigurationException { docBuilderFactory.setAttribute("http://java.sun.com/xml/jaxp/properties/schemaSource", resolveSchemaSource()); + docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + docBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + docBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + docBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + docBuilderFactory.setXIncludeAware(false); + docBuilderFactory.setExpandEntityReferences(false); + docBuilder = docBuilderFactory.newDocumentBuilder(); docBuilder.setErrorHandler(this); diff --git a/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java b/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java index 4aeb64649..7fdecb6eb 100755 --- a/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java +++ b/quartz-core/src/test/java/org/quartz/xml/XMLSchedulingDataProcessorTest.java @@ -30,6 +30,7 @@ import org.quartz.simpl.SimpleThreadPool; import org.quartz.spi.ClassLoadHelper; import org.quartz.utils.DBConnectionManager; +import org.xml.sax.SAXParseException; /** * Unit test for XMLSchedulingDataProcessor. @@ -356,6 +357,31 @@ public void testOverwriteJobClassNotFound() throws Exception { } } + public void testXmlParserConfiguration() throws Exception { + Scheduler scheduler = null; + try { + StdSchedulerFactory factory = new StdSchedulerFactory("org/quartz/xml/quartz-test.properties"); + scheduler = factory.getScheduler(); + ClassLoadHelper clhelper = new CascadingClassLoadHelper(); + clhelper.initialize(); + XMLSchedulingDataProcessor processor = new XMLSchedulingDataProcessor(clhelper); + processor.processFileAndScheduleJobs("org/quartz/xml/bad-job-config.xml", scheduler); + + + final JobKey jobKey = scheduler.getJobKeys(GroupMatcher.jobGroupEquals("native")).iterator().next(); + final JobDetail jobDetail = scheduler.getJobDetail(jobKey); + final String description = jobDetail.getDescription(); + + + fail("Expected parser configuration to block DOCTYPE. The following was injected into the job description field: " + description); + } catch (SAXParseException e) { + assertTrue(e.getMessage().contains("DOCTYPE is disallowed")); + } finally { + if (scheduler != null) + scheduler.shutdown(); + } + } + private void modifyStoredJobClassName() throws Exception { String DB_NAME = "XmlDeleteNonExistsJobTestDatasase"; Connection conn = DBConnectionManager.getInstance().getConnection(DB_NAME); diff --git a/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml b/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml new file mode 100755 index 000000000..9aeb56736 --- /dev/null +++ b/quartz-core/src/test/resources/org/quartz/xml/bad-job-config.xml @@ -0,0 +1,15 @@ + + + ]> + + + + xxe + native + &xxe; + org.quartz.xml.XMLSchedulingDataProcessorTest$MyJob + true + false + + + \ No newline at end of file