Skip to content
Permalink
Browse files

Fix XXE injection attack by disabling XML DTD handling

  • Loading branch information
robin committed Nov 21, 2020
1 parent d6fc421 commit 9196fd795e87dab069b4260a3590a0ea886e770f
Showing with 6 additions and 2 deletions.
  1. +6 −2 server-core/src/main/java/io/onedev/server/migration/XmlBuildSpecMigrator.java
@@ -10,6 +10,7 @@
import org.dom4j.DocumentException;
import org.dom4j.Element;
import org.dom4j.io.SAXReader;
import org.xml.sax.SAXException;
import org.yaml.snakeyaml.DumperOptions;
import org.yaml.snakeyaml.DumperOptions.FlowStyle;
import org.yaml.snakeyaml.emitter.Emitter;
@@ -662,8 +663,11 @@ private static Node migrateJobDependency(Element jobDependencyElement) {
public static String migrate(String xml) {
Document xmlDoc;
try {
xmlDoc = new SAXReader().read(new StringReader(xml));
} catch (DocumentException e) {
SAXReader reader = new SAXReader();
// Prevent XXE attack as the xml might be provided by malicious users
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
xmlDoc = reader.read(new StringReader(xml));
} catch (DocumentException | SAXException e) {
throw new RuntimeException(e);
}

0 comments on commit 9196fd7

Please sign in to comment.