Skip to content

Commit

Permalink
Missed a couple possibly unsafe XMLUtils
Browse files Browse the repository at this point in the history
  • Loading branch information
AngledLuffa committed Oct 12, 2021
1 parent ab66e56 commit e5bbe13
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 3 deletions.
4 changes: 3 additions & 1 deletion src/edu/stanford/nlp/ie/machinereading/common/DomReader.java
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,8 @@
import org.w3c.dom.NodeList;
import org.xml.sax.SAXException;

import edu.stanford.nlp.util.XMLUtils;

/**
* Generic DOM reader for an XML file
*/
Expand Down Expand Up @@ -127,7 +129,7 @@ public static String getAttributeValue(Node node, String attributeName) {
public static Document readDocument(File f) throws IOException, SAXException, ParserConfigurationException {
Document document = null;

DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory factory = XMLUtils.safeDocumentBuilderFactory();
// factory.setValidating(true);
// factory.setNamespaceAware(true);

Expand Down
5 changes: 3 additions & 2 deletions src/edu/stanford/nlp/semgraph/semgrex/ssurgeon/Ssurgeon.java
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import edu.stanford.nlp.semgraph.semgrex.ssurgeon.pred.*;
import edu.stanford.nlp.semgraph.semgrex.SemgrexPattern;
import edu.stanford.nlp.util.Generics;
import edu.stanford.nlp.util.XMLUtils;
import edu.stanford.nlp.util.logging.Redwood;


Expand Down Expand Up @@ -397,7 +398,7 @@ public static String writeToString(SsurgeonPattern pattern) {

private static Document createPatternXMLDoc(List<SsurgeonPattern> patterns) {
try {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilderFactory dbf = XMLUtils.safeDocumentBuilderFactory();
DocumentBuilder db = dbf.newDocumentBuilder();
Document domDoc = db.newDocument();
Element rootElt = domDoc.createElement(SsurgeonPattern.ELT_LIST_TAG);
Expand Down Expand Up @@ -452,7 +453,7 @@ private static Document createPatternXMLDoc(List<SsurgeonPattern> patterns) {
@SuppressWarnings("unchecked")
public List<SsurgeonPattern> readFromFile(File file) throws Exception {
List<SsurgeonPattern> retList = new ArrayList<>();
Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(file);
Document doc = XMLUtils.safeDocumentBuilderFactory().newDocumentBuilder().parse(file);

if (VERBOSE)
System.out.println("Reading ssurgeon file="+file.getAbsolutePath());
Expand Down

4 comments on commit e5bbe13

@wesley-philip
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this fix included in version 4.3.1?

@AngledLuffa
Copy link
Contributor Author

@AngledLuffa AngledLuffa commented on e5bbe13 Oct 20, 2021 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wesley-philip
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm guessing the severity is still under review, because WhiteSource has flagged it as a 9.8 (critical) vulnerability:

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-3878

However, on the NVD site, there is no score: https://nvd.nist.gov/vuln/detail/CVE-2021-3878

@AngledLuffa
Copy link
Contributor Author

@AngledLuffa AngledLuffa commented on e5bbe13 Oct 20, 2021 via email

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please # to comment.