Correct security vulneratilbity

NickNiu · Dec 10, 2016 · 090958e · 090958e
1 parent 2ef5f36
commit 090958e
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 21 deletions.
diff --git a/ff4j-core/src/main/java/org/ff4j/conf/XmlParser.java b/ff4j-core/src/main/java/org/ff4j/conf/XmlParser.java
@@ -478,7 +478,24 @@ private static Set<String> parseListAuthorizations(Element securityTag) {
      */
     public static DocumentBuilder getDocumentBuilder() throws ParserConfigurationException {
         if (builder == null) {
-            builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            // -- Prevent against XXE @see https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            // If you can't completely disable DTDs, then at least do the following:
+            // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-general-entities
+            // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-general-entities
+            // JDK7+ - http://xml.org/sax/features/external-general-entities    
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            // Xerces 1 - http://xerces.apache.org/xerces-j/features.html#external-parameter-entities
+            // Xerces 2 - http://xerces.apache.org/xerces2-j/features.html#external-parameter-entities
+            // JDK7+ - http://xml.org/sax/features/external-parameter-entities    
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            // Disable external DTDs as well
+            dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            // and these as well, per Timothy Morgan's 2014 paper: "XML Schema, DTD, and Entity Attacks" (see reference below)
+            dbf.setXIncludeAware(false);
+            dbf.setExpandEntityReferences(false);
+            builder = dbf.newDocumentBuilder();
             builder.setErrorHandler(new XmlParserErrorHandler());
         }
         return builder;

diff --git a/ff4j-core/src/test/resources/ff4j.json → ff4j-core/src/test/resources/ff4j.json.tmp b/ff4j-core/src/test/resources/ff4j.json → ff4j-core/src/test/resources/ff4j.json.tmp
@@ -1,22 +1,3 @@
-/*
- * #%L
- * ff4j-core
- * %%
- * Copyright (C) 2013 - 2016 FF4J
- * %%
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- * 
- *      http://www.apache.org/licenses/LICENSE-2.0
- * 
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- * #L%
- */
 {
     "features": [
         { "uid":"AwesomeFeature", "enable":true, "description":"some desc" },

diff --git a/ff4j-core/src/test/resources/test-featureXmlParserTest-import-export.xml b/ff4j-core/src/test/resources/test-featureXmlParserTest-import-export.xml
@@ -18,7 +18,6 @@
   limitations under the License.
   #L%
   -->
-<!DOCTYPE configuration>
 <features xmlns="http://www.ff4j.org/schema/ff4j" 
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 	 xsi:schemaLocation="http://www.ff4j.org/schema/ff4j ../../main/resources/ff4j-1.2.0.xsd">