BUG-2511 Fix XXE vulnerability in initial config loaders

author Maros Marsalek <mmarsale@cisco.com>

Thu, 18 Dec 2014 09:33:02 +0000 (10:33 +0100)

committer Maros Marsalek <mmarsale@cisco.com>

Thu, 18 Dec 2014 10:53:45 +0000 (11:53 +0100)
author Maros Marsalek <mmarsale@cisco.com>
Thu, 18 Dec 2014 09:33:02 +0000 (10:33 +0100)
committer Maros Marsalek <mmarsale@cisco.com>
Thu, 18 Dec 2014 10:53:45 +0000 (11:53 +0100)
diff --git a/opendaylight/config/config-persister-directory-xml-adapter/src/main/java/org/opendaylight/controller/config/persist/storage/directory/xml/XmlDirectoryPersister.java b/opendaylight/config/config-persister-directory-xml-adapter/src/main/java/org/opendaylight/controller/config/persist/storage/directory/xml/XmlDirectoryPersister.java

index 85f70b9a01172f314fec16020d508e9769efeea7..3ea432e1739a7ed83047091f0a392e8918c8e45e 100644 (file)
--- a/opendaylight/config/config-persister-directory-xml-adapter/src/main/java/org/opendaylight/controller/config/persist/storage/directory/xml/XmlDirectoryPersister.java
+++ b/opendaylight/config/config-persister-directory-xml-adapter/src/main/java/org/opendaylight/controller/config/persist/storage/directory/xml/XmlDirectoryPersister.java
@@ -23,6 +23,10 @@ import java.util.SortedSet;
  import javax.xml.bind.JAXBContext;
  import javax.xml.bind.JAXBException;
  import javax.xml.bind.Unmarshaller;
  import javax.xml.bind.JAXBContext;
  import javax.xml.bind.JAXBException;
  import javax.xml.bind.Unmarshaller;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.stream.StreamSource;
  import org.opendaylight.controller.config.persist.api.ConfigSnapshotHolder;
  import org.opendaylight.controller.config.persist.api.Persister;
  import org.opendaylight.controller.config.persist.storage.file.xml.model.ConfigSnapshot;
  import org.opendaylight.controller.config.persist.api.ConfigSnapshotHolder;
  import org.opendaylight.controller.config.persist.api.Persister;
  import org.opendaylight.controller.config.persist.storage.file.xml.model.ConfigSnapshot;
@@ -105,8 +109,15 @@ public class XmlDirectoryPersister implements Persister {
      public static ConfigSnapshotHolder loadLastConfig(final File file) throws JAXBException {
          JAXBContext jaxbContext = JAXBContext.newInstance(ConfigSnapshot.class);
          Unmarshaller um = jaxbContext.createUnmarshaller();
      public static ConfigSnapshotHolder loadLastConfig(final File file) throws JAXBException {
          JAXBContext jaxbContext = JAXBContext.newInstance(ConfigSnapshot.class);
          Unmarshaller um = jaxbContext.createUnmarshaller();
-
-        return asHolder((ConfigSnapshot) um.unmarshal(file));
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        try {
+            XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource(file));
+            return asHolder((ConfigSnapshot) um.unmarshal(xsr));
+        } catch (final XMLStreamException e) {
+            throw new JAXBException(e);
+        }
      }
  
      private static ConfigSnapshotHolder asHolder(final ConfigSnapshot unmarshalled) {
      }
  
      private static ConfigSnapshotHolder asHolder(final ConfigSnapshot unmarshalled) {
diff --git a/opendaylight/config/config-persister-feature-adapter/src/main/java/org/opendaylight/controller/configpusherfeature/internal/FeatureConfigSnapshotHolder.java b/opendaylight/config/config-persister-feature-adapter/src/main/java/org/opendaylight/controller/configpusherfeature/internal/FeatureConfigSnapshotHolder.java

index 1bce5f236414242c3523adbbebb5a551559d1fb1..518716cfa75b2043b189970719fd80fc8442701a 100644 (file)
--- a/opendaylight/config/config-persister-feature-adapter/src/main/java/org/opendaylight/controller/configpusherfeature/internal/FeatureConfigSnapshotHolder.java
+++ b/opendaylight/config/config-persister-feature-adapter/src/main/java/org/opendaylight/controller/configpusherfeature/internal/FeatureConfigSnapshotHolder.java
@@ -20,6 +20,10 @@ import java.util.SortedSet;
  import javax.xml.bind.JAXBContext;
  import javax.xml.bind.JAXBException;
  import javax.xml.bind.Unmarshaller;
  import javax.xml.bind.JAXBContext;
  import javax.xml.bind.JAXBException;
  import javax.xml.bind.Unmarshaller;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.stream.StreamSource;
  import org.apache.karaf.features.ConfigFileInfo;
  import org.apache.karaf.features.Feature;
  import org.opendaylight.controller.config.persist.api.ConfigSnapshotHolder;
  import org.apache.karaf.features.ConfigFileInfo;
  import org.apache.karaf.features.Feature;
  import org.opendaylight.controller.config.persist.api.ConfigSnapshotHolder;
@@ -59,10 +63,18 @@ public class FeatureConfigSnapshotHolder implements ConfigSnapshotHolder {
          Preconditions.checkNotNull(feature);
          this.fileInfo = fileInfo;
          this.featureChain.add(feature);
          Preconditions.checkNotNull(feature);
          this.fileInfo = fileInfo;
          this.featureChain.add(feature);
+        // TODO extract utility method for umarshalling config snapshots
          JAXBContext jaxbContext = JAXBContext.newInstance(ConfigSnapshot.class);
          Unmarshaller um = jaxbContext.createUnmarshaller();
          JAXBContext jaxbContext = JAXBContext.newInstance(ConfigSnapshot.class);
          Unmarshaller um = jaxbContext.createUnmarshaller();
-        File file = new File(fileInfo.getFinalname());
-        unmarshalled = ((ConfigSnapshot) um.unmarshal(file));
+        XMLInputFactory xif = XMLInputFactory.newFactory();
+        xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+        xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+        try {
+            XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource(new File(fileInfo.getFinalname())));
+            unmarshalled = ((ConfigSnapshot) um.unmarshal(xsr));
+        } catch (final XMLStreamException e) {
+            throw new JAXBException(e);
+        }
      }
      /*
       * (non-Javadoc)
      }
      /*
       * (non-Javadoc)
diff --git a/opendaylight/config/config-persister-file-xml-adapter/src/main/java/org/opendaylight/controller/config/persist/storage/file/xml/model/Config.java b/opendaylight/config/config-persister-file-xml-adapter/src/main/java/org/opendaylight/controller/config/persist/storage/file/xml/model/Config.java

index e629d20db52e0c2c65bf26c76aeb1e2dbce62eff..6a6d360cfa794c2209ba7d5fe28a8dc1efeca3ab 100644 (file)
--- a/opendaylight/config/config-persister-file-xml-adapter/src/main/java/org/opendaylight/controller/config/persist/storage/file/xml/model/Config.java
+++ b/opendaylight/config/config-persister-file-xml-adapter/src/main/java/org/opendaylight/controller/config/persist/storage/file/xml/model/Config.java
@@ -22,6 +22,10 @@ import javax.xml.bind.Unmarshaller;
  import javax.xml.bind.annotation.XmlElement;
  import javax.xml.bind.annotation.XmlElementWrapper;
  import javax.xml.bind.annotation.XmlRootElement;
  import javax.xml.bind.annotation.XmlElement;
  import javax.xml.bind.annotation.XmlElementWrapper;
  import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamReader;
+import javax.xml.transform.stream.StreamSource;
  import org.apache.commons.lang3.StringUtils;
  
  @XmlRootElement(name = "persisted-snapshots")
  import org.apache.commons.lang3.StringUtils;
  
  @XmlRootElement(name = "persisted-snapshots")
@@ -72,9 +76,12 @@ public final class Config {
          try {
              JAXBContext jaxbContext = JAXBContext.newInstance(Config.class);
              Unmarshaller um = jaxbContext.createUnmarshaller();
          try {
              JAXBContext jaxbContext = JAXBContext.newInstance(Config.class);
              Unmarshaller um = jaxbContext.createUnmarshaller();
-
-            return (Config) um.unmarshal(from);
-        } catch (JAXBException e) {
+            XMLInputFactory xif = XMLInputFactory.newFactory();
+            xif.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
+            xif.setProperty(XMLInputFactory.SUPPORT_DTD, false);
+            XMLStreamReader xsr = xif.createXMLStreamReader(new StreamSource(from));
+            return ((Config) um.unmarshal(xsr));
+        } catch (JAXBException | XMLStreamException e) {
              throw new PersistException("Unable to restore configuration", e);
          }
      }
              throw new PersistException("Unable to restore configuration", e);
          }
      }
author	Maros Marsalek <mmarsale@cisco.com>
	Thu, 18 Dec 2014 09:33:02 +0000 (10:33 +0100)
committer	Maros Marsalek <mmarsale@cisco.com>
	Thu, 18 Dec 2014 10:53:45 +0000 (11:53 +0100)
opendaylight/config/config-persister-directory-xml-adapter/src/main/java/org/opendaylight/controller/config/persist/storage/directory/xml/XmlDirectoryPersister.java		patch \| blob \| history
opendaylight/config/config-persister-feature-adapter/src/main/java/org/opendaylight/controller/configpusherfeature/internal/FeatureConfigSnapshotHolder.java		patch \| blob \| history
opendaylight/config/config-persister-file-xml-adapter/src/main/java/org/opendaylight/controller/config/persist/storage/file/xml/model/Config.java		patch \| blob \| history