static {
BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
+ try {
+ BUILDER_FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ BUILDER_FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ BUILDER_FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ BUILDER_FACTORY.setXIncludeAware(false);
+ BUILDER_FACTORY.setExpandEntityReferences(false);
+ } catch (ParserConfigurationException e) {
+ throw new ExceptionInInitializerError(e);
+ }
BUILDER_FACTORY.setNamespaceAware(true);
BUILDER_FACTORY.setCoalescing(true);
BUILDER_FACTORY.setIgnoringElementContentWhitespace(true);
static {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+ try {
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+ factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+ factory.setXIncludeAware(false);
+ factory.setExpandEntityReferences(false);
+ } catch (ParserConfigurationException e) {
+ throw new ExceptionInInitializerError(e);
+ }
factory.setNamespaceAware(true);
factory.setCoalescing(true);
factory.setIgnoringElementContentWhitespace(true);
}
+ @Test(expected = SAXParseException.class)
+ public void testXXEFlaw() throws Exception {
+ XmlUtil.readXmlToDocument("<!DOCTYPE foo [ \n" +
+ "<!ELEMENT foo ANY >\n" +
+ "<!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\n" +
+ "<hello xmlns=\"urn:ietf:params:xml:ns:netconf:base:1.0\">\n" +
+ " <capabilities>\n" +
+ " <capability>urn:ietf:params:netconf:base:1.0 &xxe;</capability>\n" +
+ " </capabilities>\n" +
+ " </hello>]]>]]>");
+ }
+
@Test
public void testXPath() throws Exception {
final XPathExpression correctXPath = XMLNetconfUtil.compileXPath("/top/innerText");