zydronium/google-nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus.git synced 2025-07-26 04:28:34 +02:00
Code Issues Projects Releases Packages Wiki Activity

Better configure DocumentBuilderFactory to help prevent XXE (#2132)

Browse source 
For more information see: https://community.veracode.com/s/article/Java-Remediation-Guidance-for-XXE
This commit is contained in:
Ben McIlwain 2023-08-30 10:17:37 -04:00 committed by GitHub
parent 3a38e03a08
commit 257bb2c0b7
3 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
core/src/main/java/google/registry/flows/EppXmlSanitizer.java
View file

@ -165,6 +165,9 @@ public class EppXmlSanitizer {
xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, true);
// Preserve Name Space information.
xmlInputFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
// Prevent XXE attacks.
xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
return xmlInputFactory;
}
}

4
core/src/main/java/google/registry/tmch/TmchXmlSignature.java
View file

@ -111,6 +111,10 @@ public class TmchXmlSignature {
dbf.setSchema(SCHEMA);
dbf.setAttribute("http://apache.org/xml/features/validation/schema/normalized-value", false);
dbf.setNamespaceAware(true);
// Disable DTDs
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setXIncludeAware(false); // disable XML Inclusions
dbf.setExpandEntityReferences(false); // disable expand entity reference nodes
return dbf.newDocumentBuilder().parse(input);
}

8
prober/src/main/java/google/registry/monitoring/blackbox/message/EppMessage.java
View file

@ -153,6 +153,14 @@ public class EppMessage {
xpath = XPathFactory.newInstance().newXPath();
xpath.setNamespaceContext(new EppNamespaceContext());
docBuilderFactory.setNamespaceAware(true);
try {
// Disable DTDs
docBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
} catch (ParserConfigurationException e) {
throw new RuntimeException("Error configuring DocumentBuilderFactory", e);
}
docBuilderFactory.setXIncludeAware(false); // disable XML Inclusions
docBuilderFactory.setExpandEntityReferences(false); // disable expand entity reference nodes
String path = "./xsd/";
StreamSource[] sources;