Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix XXE injection attack by disabling XML DTD handling
  • Loading branch information
robin committed Nov 21, 2020
1 parent d6fc421 commit 9196fd7
Showing 1 changed file with 6 additions and 2 deletions.
Expand Up @@ -10,6 +10,7 @@
import org.dom4j.DocumentException;
import org.dom4j.Element;
import org.dom4j.io.SAXReader;
import org.xml.sax.SAXException;
import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.DumperOptions.FlowStyle;
import org.yaml.snakeyaml.emitter.Emitter;
Expand Down Expand Up @@ -662,8 +663,11 @@ private static List<Node> migrateFieldSupplies(List<Element> fieldSupplyElements
public static String migrate(String xml) {
Document xmlDoc;
try {
xmlDoc = new SAXReader().read(new StringReader(xml));
} catch (DocumentException e) {
SAXReader reader = new SAXReader();
// Prevent XXE attack as the xml might be provided by malicious users
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
xmlDoc = reader.read(new StringReader(xml));
} catch (DocumentException | SAXException e) {
throw new RuntimeException(e);
}

Expand Down

0 comments on commit 9196fd7

Please sign in to comment.