Skip to content

Commit 5c1c69a

Browse files
gnongsiegnongsie
committed
Fix for Improper Restriction of XXE Ref
1 parent 94492cf commit 5c1c69a

1 file changed

Lines changed: 24 additions & 2 deletions

File tree

src/main/java/net/authorize/util/XmlUtility.java

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,17 @@
1212
import javax.xml.bind.Marshaller;
1313
import javax.xml.bind.Unmarshaller;
1414
import javax.xml.bind.annotation.XmlRootElement;
15+
import javax.xml.parsers.ParserConfigurationException;
16+
import javax.xml.parsers.SAXParserFactory;
17+
import javax.xml.transform.Source;
18+
import javax.xml.transform.sax.SAXSource;
1519

1620
import org.apache.commons.logging.Log;
1721
import org.apache.commons.logging.LogFactory;
22+
import org.xml.sax.InputSource;
23+
import org.xml.sax.SAXException;
24+
import org.xml.sax.SAXNotRecognizedException;
25+
import org.xml.sax.SAXNotSupportedException;
1826

1927
/**
2028
* Helper methods for serializing and de-serializing to XML using JAXB
@@ -80,11 +88,25 @@ public static synchronized <T extends Serializable> String getXml(T entity) thro
8088
* @param <T> class that implements Serializable
8189
* @return T De-serialized object
8290
* @throws JAXBException if errors during de-serialization
91+
* @throws ParserConfigurationException
92+
* @throws SAXException
8393
*/
8494
@SuppressWarnings("unchecked")
85-
public static synchronized <T extends Serializable> T create(String xml, Class<T> classType) throws JAXBException
95+
public static synchronized <T extends Serializable> T create(String xml, Class<T> classType) throws JAXBException, ParserConfigurationException, SAXException
8696
{
8797
T entity = null;
98+
99+
//Disable XXE
100+
SAXParserFactory spf = SAXParserFactory.newInstance();
101+
spf.setNamespaceAware(true);
102+
spf.setValidating(true);
103+
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
104+
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
105+
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
106+
107+
//Do unmarshall operation
108+
Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(new StringReader(xml)));
109+
88110
//make sure we have not null and not-empty string to de-serialize
89111
if ( null != xml && !xml.trim().isEmpty())
90112
{
@@ -102,7 +124,7 @@ public static synchronized <T extends Serializable> T create(String xml, Class<T
102124
{
103125
Unmarshaller um = response_ctx.createUnmarshaller();
104126
try {
105-
Object unmarshaled = um.unmarshal(new StringReader(xml));
127+
Object unmarshaled = um.unmarshal(xmlSource);
106128
if ( null != unmarshaled)
107129
{
108130
try {

0 commit comments

Comments
 (0)