Skip to content

Commit 494f821

Browse files
vruusmannvruusmann
committed
Activated defense against XML eXternal Entity (XXE) attacks
1 parent 0499a97 commit 494f821

File tree

2 files changed

+26
-17
lines changed

2 files changed

+26
-17
lines changed

pmml-model/src/main/java/org/jpmml/model/SAXUtil.java

+13-3
Original file line numberDiff line numberDiff line change
@@ -31,13 +31,23 @@ private SAXUtil(){
3131
static
3232
public SAXSource createFilteredSource(InputStream is, XMLFilter... filters) throws SAXException {
3333
XMLReader reader = XMLReaderFactory.createXMLReader();
34+
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
35+
36+
reader = createFilteredReader(reader, filters);
37+
38+
return new SAXSource(reader, new InputSource(is));
39+
}
40+
41+
static
42+
public XMLReader createFilteredReader(XMLReader reader, XMLFilter... filters){
43+
XMLReader result = reader;
3444

3545
for(XMLFilter filter : filters){
36-
filter.setParent(reader);
46+
filter.setParent(result);
3747

38-
reader = filter;
48+
result = filter;
3949
}
4050

41-
return new SAXSource(reader, new InputSource(is));
51+
return result;
4252
}
4353
}

pmml-model/src/test/java/org/jpmml/model/XXEAttackTest.java

+13-14
Original file line numberDiff line numberDiff line change
@@ -8,17 +8,15 @@
88
import java.util.List;
99

1010
import javax.xml.bind.UnmarshalException;
11-
import javax.xml.transform.sax.SAXSource;
11+
import javax.xml.transform.Source;
1212
import javax.xml.transform.stream.StreamSource;
1313

14-
import org.dmg.pmml.Extension;
1514
import org.dmg.pmml.PMML;
1615
import org.junit.Test;
17-
import org.xml.sax.InputSource;
18-
import org.xml.sax.XMLReader;
19-
import org.xml.sax.helpers.XMLReaderFactory;
16+
import org.xml.sax.SAXParseException;
2017

2118
import static org.junit.Assert.assertEquals;
19+
import static org.junit.Assert.assertTrue;
2220
import static org.junit.Assert.fail;
2321

2422
public class XXEAttackTest {
@@ -30,30 +28,31 @@ public void unmarshal() throws Exception {
3028
System.setProperty("javax.xml.accessExternalDTD", "file");
3129

3230
try(InputStream is = ResourceUtil.getStream(XXEAttackTest.class);){
33-
pmml = JAXBUtil.unmarshalPMML(new StreamSource(is));
31+
Source source = new StreamSource(is);
32+
33+
pmml = JAXBUtil.unmarshalPMML(source);
3434
} finally {
3535
System.clearProperty("javax.xml.accessExternalDTD");
3636
}
3737

38-
List<Extension> extensions = pmml.getExtensions();
39-
assertEquals(1, extensions.size());
38+
List<?> content = ExtensionUtil.getContent(pmml);
4039

41-
Extension extension = extensions.get(0);
42-
assertEquals(Arrays.asList("lol"), extension.getContent());
40+
assertEquals(Arrays.asList("lol"), content);
4341
}
4442

4543
@Test
4644
public void unmarshalSecurely() throws Exception {
4745

4846
try(InputStream is = ResourceUtil.getStream(XXEAttackTest.class)){
49-
XMLReader reader = XMLReaderFactory.createXMLReader();
50-
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
47+
Source source = SAXUtil.createFilteredSource(is);
5148

52-
JAXBUtil.unmarshalPMML(new SAXSource(reader, new InputSource(is)));
49+
JAXBUtil.unmarshalPMML(source);
5350

5451
fail();
5552
} catch(UnmarshalException ue){
56-
// Ignored
53+
Throwable cause = ue.getCause();
54+
55+
assertTrue(cause instanceof SAXParseException);
5756
}
5857
}
5958
}

0 commit comments

Comments
 (0)