Skip to content

Commit 5c1c69a

Browse files
gnongsiegnongsie
committed
Fix for Improper Restriction of XXE Ref
1 parent 94492cf commit 5c1c69a

File tree

1 file changed

+24
-2
lines changed

1 file changed

+24
-2
lines changed

src/main/java/net/authorize/util/XmlUtility.java

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,17 @@
1212
import javax.xml.bind.Marshaller;
1313
import javax.xml.bind.Unmarshaller;
1414
import javax.xml.bind.annotation.XmlRootElement;
15+
import javax.xml.parsers.ParserConfigurationException;
16+
import javax.xml.parsers.SAXParserFactory;
17+
import javax.xml.transform.Source;
18+
import javax.xml.transform.sax.SAXSource;
1519

1620
import org.apache.commons.logging.Log;
1721
import org.apache.commons.logging.LogFactory;
22+
import org.xml.sax.InputSource;
23+
import org.xml.sax.SAXException;
24+
import org.xml.sax.SAXNotRecognizedException;
25+
import org.xml.sax.SAXNotSupportedException;
1826

1927
/**
2028
* Helper methods for serializing and de-serializing to XML using JAXB
@@ -80,11 +88,25 @@ public static synchronized <T extends Serializable> String getXml(T entity) thro
8088
* @param <T> class that implements Serializable
8189
* @return T De-serialized object
8290
* @throws JAXBException if errors during de-serialization
91+
* @throws ParserConfigurationException
92+
* @throws SAXException
8393
*/
8494
@SuppressWarnings("unchecked")
85-
public static synchronized <T extends Serializable> T create(String xml, Class<T> classType) throws JAXBException
95+
public static synchronized <T extends Serializable> T create(String xml, Class<T> classType) throws JAXBException, ParserConfigurationException, SAXException
8696
{
8797
T entity = null;
98+
99+
//Disable XXE
100+
SAXParserFactory spf = SAXParserFactory.newInstance();
101+
spf.setNamespaceAware(true);
102+
spf.setValidating(true);
103+
spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
104+
spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
105+
spf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
106+
107+
//Do unmarshall operation
108+
Source xmlSource = new SAXSource(spf.newSAXParser().getXMLReader(), new InputSource(new StringReader(xml)));
109+
88110
//make sure we have not null and not-empty string to de-serialize
89111
if ( null != xml && !xml.trim().isEmpty())
90112
{
@@ -102,7 +124,7 @@ public static synchronized <T extends Serializable> T create(String xml, Class<T
102124
{
103125
Unmarshaller um = response_ctx.createUnmarshaller();
104126
try {
105-
Object unmarshaled = um.unmarshal(new StringReader(xml));
127+
Object unmarshaled = um.unmarshal(xmlSource);
106128
if ( null != unmarshaled)
107129
{
108130
try {

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy