8000 Adds XXE fixes to JAXBDecoder and SAXDecoder classes (#415) · opensource-project-study/feign@07275ee · GitHub
[go: up one dir, main page]
Skip to content

Commit 07275ee

Browse files
gursevadriancole
gursev
authored and
adriancole
committed
Adds XXE fixes to JAXBDecoder and SAXDecoder classes (OpenFeign#415)
fixes OpenFeign#411
1 parent 6717142 commit 07275ee

File tree

2 files changed

+26
-1
lines changed

2 files changed

+26
-1
lines changed

jaxb/src/main/java/feign/jaxb/JAXBDecoder.java

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,11 +20,17 @@
2020

2121
import javax.xml.bind.JAXBException;
2222
import javax.xml.bind.Unmarshaller;
23+
import javax.xml.parsers.ParserConfigurationException;
24+
import javax.xml.parsers.SAXParserFactory;
25+
import javax.xml.transform.Source;
26+
import javax.xml.transform.sax.SAXSource;
2327

2428
import feign.Response;
2529
import feign.Util;
2630
import feign.codec.DecodeException;
2731
import feign.codec.Decoder;
32+
import org.xml.sax.InputSource;
33+
import org.xml.sax.SAXException;
2834

2935
/**
3036
* Decodes responses using JAXB. <br> <p> Basic example with with Feign.Builder: </p>
@@ -57,11 +63,25 @@ public Object decode(Response response, Type type) throws IOException {
5763
throw new UnsupportedOperationException(
5864
"JAXB only supports decoding raw types. Found " + type);
5965
}
66+
67+
6068
try {
69+
SAXParserFactory saxParserFactory = SAXParserFactory.newInstance();
70+
/* Explicitly control sax configuration to prevent XXE attacks */
71+
saxParserFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
72+
saxParserFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
73+
saxParserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
74+
saxParserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
75+
76+
Source source = new SAXSource(saxParserFactory.newSAXParser().getXMLReader(), new InputSource(response.body().asInputStream()));
6177
Unmarshaller unmarshaller = jaxbContextFactory.createUnmarshaller((Class) type);
62-
return unmarshaller.unmarshal(response.body().asInputStream());
78+
return unmarshaller.unmarshal(source);
6379
} catch (JAXBException e) {
6480
throw new DecodeException(e.toString(), e);
81+
} catch (ParserConfigurationException e) {
82+
throw new DecodeException(e.toString(), e);
83+
} catch (SAXException e) {
84+
throw new DecodeException(e.toString(), e);
6585
} finally {
6686
if (response.body() != null) {
6787
response.body().close();

sax/src/main/java/feign/sax/SAXDecoder.java

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,11 @@ public Object decode(Response response, Type type) throws IOException, DecodeExc
7474
XMLReader xmlReader = XMLReaderFactory.createXMLReader();
7575
xmlReader.setFeature("http://xml.org/sax/features/namespaces", false);
7676
xmlReader.setFeature("http://xml.org/sax/features/validation", false);
77+
/* Explicitly control sax configuration to prevent XXE attacks */
78+
xmlReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
79+
xmlReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
80+
xmlReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", false);
81+
xmlReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
7782
xmlReader.setContentHandler(handler);
7883
InputStream inputStream = response.body().asInputStream();
7984
try {

0 commit comments

Comments
 (0)
0