diff --git a/retrofit-converters/jaxb/src/main/java/retrofit2/converter/jaxb/JaxbResponseConverter.java b/retrofit-converters/jaxb/src/main/java/retrofit2/converter/jaxb/JaxbResponseConverter.java index 1b0666b52d..469b863d1a 100644 --- a/retrofit-converters/jaxb/src/main/java/retrofit2/converter/jaxb/JaxbResponseConverter.java +++ b/retrofit-converters/jaxb/src/main/java/retrofit2/converter/jaxb/JaxbResponseConverter.java @@ -33,6 +33,10 @@ final class JaxbResponseConverter implements Converter { JaxbResponseConverter(JAXBContext context, Class type) { this.context = context; this.type = type; + + // Prevent XML External Entity attacks (XXE). + xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false); + xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false); } @Override public T convert(ResponseBody value) throws IOException { diff --git a/retrofit-converters/jaxb/src/test/java/retrofit2/converter/jaxb/JaxbConverterFactoryTest.java b/retrofit-converters/jaxb/src/test/java/retrofit2/converter/jaxb/JaxbConverterFactoryTest.java index 1067f8af56..186d506fbb 100644 --- a/retrofit-converters/jaxb/src/test/java/retrofit2/converter/jaxb/JaxbConverterFactoryTest.java +++ b/retrofit-converters/jaxb/src/test/java/retrofit2/converter/jaxb/JaxbConverterFactoryTest.java @@ -146,4 +146,55 @@ interface Service { Response response = call.execute(); assertThat(response.body().name).isEqualTo("Jenny"); } + + @Test public void externalEntity() throws Exception { + server.enqueue(new MockResponse() + .setBody("" + + "" + + "" + + "]>" + + "" + + "&secret;" + + "")); + server.enqueue(new MockResponse() + .setBody("hello")); + + Call call = service.getXml(); + try { + Response response = call.execute(); + response.body(); + fail(); + } catch (RuntimeException expected) { + assertThat(expected).hasMessageContaining("ParseError"); + } + + assertThat(server.getRequestCount()).isEqualTo(1); + } + + @Test public void externalDtd() throws Exception { + server.enqueue(new MockResponse() + .setBody("" + + "" + + "" + + "" + + "&secret;" + + "")); + server.enqueue(new MockResponse() + .setBody("" + + "\n" + + "\n" + + "")); + + Call call = service.getXml(); + try { + Response response = call.execute(); + response.body(); + fail(); + } catch (RuntimeException expected) { + assertThat(expected).hasMessageContaining("ParseError"); + } + + assertThat(server.getRequestCount()).isEqualTo(1); + } }