From ad6615b3ec41353e614f6ea5fdd5b046442a832b Mon Sep 17 00:00:00 2001 From: Guillaume Turri Date: Tue, 13 Oct 2020 20:11:55 +0200 Subject: [PATCH] Fix CWE-611 This commit fixes the issue described on https://cwe.mitre.org/data/definitions/611.html test --- Changelog | 2 ++ src/main/java/de/timroes/axmlrpc/ResponseParser.java | 11 ++++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 7527119..4af36de 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,5 @@ +Fix security issue CWE-611 + 1.12.0 Add flag ACCEPT_NULL_DATES diff --git a/src/main/java/de/timroes/axmlrpc/ResponseParser.java b/src/main/java/de/timroes/axmlrpc/ResponseParser.java index 6feef08..6117937 100644 --- a/src/main/java/de/timroes/axmlrpc/ResponseParser.java +++ b/src/main/java/de/timroes/axmlrpc/ResponseParser.java @@ -10,6 +10,7 @@ import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.OutputKeys; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; @@ -45,9 +46,17 @@ public class ResponseParser { public Object parse(SerializerHandler serializerHandler, InputStream response, boolean debugMode) throws XMLRPCException { try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + + // Ensure the xml parser won't allow exploitation of the vuln CWE-611 + // (described on https://cwe.mitre.org/data/definitions/611.html ) + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setExpandEntityReferences(false); factory.setNamespaceAware(true); + factory.setXIncludeAware(false); + factory.setExpandEntityReferences(false); + // End of the configuration of the parser for CWE-611 + DocumentBuilder builder = factory.newDocumentBuilder(); Document dom = builder.parse(response); if (debugMode ){