tchekai704
/
src-openfeign
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Browse Source

Adds XXE fixes to JAXBDecoder and SAXDecoder classes (#415) 

fixes #411
pull/1248/head
Gursev Singh Kalra 8 years ago committed by Adrian Cole
parent
aca9c4ffcf
commit
1c471544be
2 changed files with 26 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 22
      jaxb/src/main/java/feign/jaxb/JAXBDecoder.java
  2. 5
      sax/src/main/java/feign/sax/SAXDecoder.java

22
jaxb/src/main/java/feign/jaxb/JAXBDecoder.java
Unescape View File

@ -20,11 +20,17 @@ import java.lang.reflect.Type; @@ -20,11 +20,17 @@ import java.lang.reflect.Type;
import javax.xml.bind.JAXBException;
import javax.xml.bind.Unmarshaller;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.Source;
import javax.xml.transform.sax.SAXSource;
import feign.Response;
import feign.Util;
import feign.codec.DecodeException;
import feign.codec.Decoder;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
/**
* Decodes responses using JAXB. <br> <p> Basic example with with Feign.Builder: </p>
@ -57,11 +63,25 @@ public class JAXBDecoder implements Decoder { @@ -57,11 +63,25 @@ public class JAXBDecoder implements Decoder {
throw new UnsupportedOperationException(
"JAXB only supports decoding raw types. Found " + type);
}
try {
SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
/* Explicitly control sax configuration to prevent XXE attacks */
saxParserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxParserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
saxParserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
Source source = new SAXSource(saxParserFactory.newSAXParser().getXMLReader(), new InputSource(response.body().asInputStream()));
Unmarshaller unmarshaller = jaxbContextFactory.createUnmarshaller((Class) type);
return unmarshaller.unmarshal(response.body().asInputStream());
return unmarshaller.unmarshal(source);
} catch (JAXBException e) {
throw new DecodeException(e.toString(), e);
} catch (ParserConfigurationException e) {
throw new DecodeException(e.toString(), e);
} catch (SAXException e) {
throw new DecodeException(e.toString(), e);
} finally {
if (response.body() != null) {
response.body().close();

5
sax/src/main/java/feign/sax/SAXDecoder.java
Unescape View File

@ -74,6 +74,11 @@ public class SAXDecoder implements Decoder { @@ -74,6 +74,11 @@ public class SAXDecoder implements Decoder {
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
xmlReader.setFeature("http://xml.org/sax/features/namespaces", false);
xmlReader.setFeature("http://xml.org/sax/features/validation", false);
/* Explicitly control sax configuration to prevent XXE attacks */
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
xmlReader.setContentHandler(handler);
InputStream inputStream = response.body().asInputStream();
try {

Write Preview
Loading…
Cancel
Save