Fix XXE vulnerability for JDom parsers.

joehni · joehni · commit 87172cfc1dd7 · 2015-10-01T20:01:45.000+02:00
diff --git a/xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Driver.java b/xstream/src/java/com/thoughtworks/xstream/io/xml/JDom2Driver.java
@@ -49,7 +49,7 @@ public JDom2Driver(final NameCoder nameCoder) {
     @Override
     public HierarchicalStreamReader createReader(final Reader reader) {
         try {
-            final SAXBuilder builder = new SAXBuilder();
+            final SAXBuilder builder = createBuilder();
             final Document document = builder.build(reader);
             return new JDom2Reader(document, getNameCoder());
         } catch (final IOException e) {
@@ -62,7 +62,7 @@ public HierarchicalStreamReader createReader(final Reader reader) {
     @Override
     public HierarchicalStreamReader createReader(final InputStream in) {
         try {
-            final SAXBuilder builder = new SAXBuilder();
+            final SAXBuilder builder = createBuilder();
             final Document document = builder.build(in);
             return new JDom2Reader(document, getNameCoder());
         } catch (final IOException e) {
@@ -75,7 +75,7 @@ public HierarchicalStreamReader createReader(final InputStream in) {
     @Override
     public HierarchicalStreamReader createReader(final URL in) {
         try {
-            final SAXBuilder builder = new SAXBuilder();
+            final SAXBuilder builder = createBuilder();
             final Document document = builder.build(in);
             return new JDom2Reader(document, getNameCoder());
         } catch (final IOException e) {
@@ -88,7 +88,7 @@ public HierarchicalStreamReader createReader(final URL in) {
     @Override
     public HierarchicalStreamReader createReader(final File in) {
         try {
-            final SAXBuilder builder = new SAXBuilder();
+            final SAXBuilder builder = createBuilder();
             final Document document = builder.build(in);
             return new JDom2Reader(document, getNameCoder());
         } catch (final IOException e) {
@@ -107,4 +107,16 @@ public HierarchicalStreamWriter createWriter(final Writer out) {
     public HierarchicalStreamWriter createWriter(final OutputStream out) {
         return new PrettyPrintWriter(new OutputStreamWriter(out));
     }
+
+    /**
+     * Create and initialize the SAX builder.
+     * 
+     * @return the SAX builder instance.
+     * @since upcoming
+     */
+    protected SAXBuilder createBuilder() {
+        final SAXBuilder builder = new SAXBuilder();
+        builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        return builder;
+    }
 }
diff --git a/xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java b/xstream/src/java/com/thoughtworks/xstream/io/xml/JDomDriver.java
@@ -58,7 +58,7 @@ public JDomDriver(final XmlFriendlyReplacer replacer) {
     @Override
     public HierarchicalStreamReader createReader(final Reader reader) {
         try {
-            final SAXBuilder builder = new SAXBuilder();
+            final SAXBuilder builder = createBuilder();
             final Document document = builder.build(reader);
             return new JDomReader(document, getNameCoder());
         } catch (final IOException e) {
@@ -71,7 +71,7 @@ public HierarchicalStreamReader createReader(final Reader reader) {
     @Override
     public HierarchicalStreamReader createReader(final InputStream in) {
         try {
-            final SAXBuilder builder = new SAXBuilder();
+            final SAXBuilder builder = createBuilder();
             final Document document = builder.build(in);
             return new JDomReader(document, getNameCoder());
         } catch (final IOException e) {
@@ -84,7 +84,7 @@ public HierarchicalStreamReader createReader(final InputStream in) {
     @Override
     public HierarchicalStreamReader createReader(final URL in) {
         try {
-            final SAXBuilder builder = new SAXBuilder();
+            final SAXBuilder builder = createBuilder();
             final Document document = builder.build(in);
             return new JDomReader(document, getNameCoder());
         } catch (final IOException e) {
@@ -97,7 +97,7 @@ public HierarchicalStreamReader createReader(final URL in) {
     @Override
     public HierarchicalStreamReader createReader(final File in) {
         try {
-            final SAXBuilder builder = new SAXBuilder();
+            final SAXBuilder builder = createBuilder();
             final Document document = builder.build(in);
             return new JDomReader(document, getNameCoder());
         } catch (final IOException e) {
@@ -117,4 +117,16 @@ public HierarchicalStreamWriter createWriter(final OutputStream out) {
         return new PrettyPrintWriter(new OutputStreamWriter(out));
     }
 
+    /**
+     * Create and initialize the SAX builder.
+     * 
+     * @return the SAX builder instance.
+     * @since upcoming
+     */
+    protected SAXBuilder createBuilder() {
+        final SAXBuilder builder = new SAXBuilder();
+        builder.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        return builder;
+    }
+
 }
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/JDom2ReaderTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/JDom2ReaderTest.java
@@ -15,7 +15,6 @@
 
 import org.jdom2.Document;
 import org.jdom2.Element;
-import org.jdom2.input.JDOMParseException;
 import org.jdom2.input.SAXBuilder;
 
 import java.io.StringReader;
@@ -49,10 +48,10 @@ public void testCanReadFromElementOfLargerDocument() throws Exception {
     public void testIsXXEVulnerable() throws Exception {
         try {
             super.testIsXXEVulnerable();
-            fail("Thrown " + JDOMParseException.class.getName() + " expected");
-        } catch (final JDOMParseException e) {
+            fail("Thrown " + XStreamException.class.getName() + " expected");
+        } catch (final XStreamException e) {
             final String message = e.getMessage();
-            if (message.contains("Package")) {
+            if (!message.contains("DOCTYPE")) {
                 throw e;
             }
         }
diff --git a/xstream/src/test/com/thoughtworks/xstream/io/xml/JDomReaderTest.java b/xstream/src/test/com/thoughtworks/xstream/io/xml/JDomReaderTest.java
@@ -16,7 +16,6 @@
 
 import org.jdom.Document;
 import org.jdom.Element;
-import org.jdom.input.JDOMParseException;
 import org.jdom.input.SAXBuilder;
 
 import java.io.StringReader;
@@ -50,10 +49,10 @@ public void testCanReadFromElementOfLargerDocument() throws Exception {
     public void testIsXXEVulnerable() throws Exception {
         try {
             super.testIsXXEVulnerable();
-            fail("Thrown " + JDOMParseException.class.getName() + " expected");
-        } catch (final JDOMParseException e) {
+            fail("Thrown " + XStreamException.class.getName() + " expected");
+        } catch (final XStreamException e) {
             final String message = e.getMessage();
-            if (message.contains("Package")) {
+            if (!message.contains("DOCTYPE")) {
                 throw e;
             }
         }
