Code Review / controller.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (from parent 1: e719eef)
BUG-2511 Fix XXE vulnerability in Netconf 47/13647/1
authorMaros Marsalek <mmarsale@cisco.com>
Mon, 15 Dec 2014 10:03:56 +0000 (11:03 +0100)
committerMaros Marsalek <mmarsale@cisco.com>
Mon, 15 Dec 2014 10:20:20 +0000 (11:20 +0100)
Change-Id: Ifc1d63fc632e7395a46d85fc2ccb9095e7008430
Signed-off-by: Maros Marsalek <mmarsale@cisco.com>
opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java patch | blob | history
opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java patch | blob | history
opendaylight/netconf/netconf-util/src/test/java/org/opendaylight/controller/netconf/util/xml/XmlUtilTest.java patch | blob | history

diff --git a/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java b/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java
index e5f32653c53d1a9cfd6bdd19dde5ce4d22bf339f..e1e932b55a31e709a5618dc23818cc848d07e088 100644 (file)
--- a/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java
+++ b/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java
@@ -45,6 +45,15 @@ public class NetconfDocumentedException extends Exception {
 
     static {
         BUILDER_FACTORY = DocumentBuilderFactory.newInstance();
+        try {
+            BUILDER_FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            BUILDER_FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            BUILDER_FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            BUILDER_FACTORY.setXIncludeAware(false);
+            BUILDER_FACTORY.setExpandEntityReferences(false);
+        } catch (ParserConfigurationException e) {
+            throw new ExceptionInInitializerError(e);
+        }
         BUILDER_FACTORY.setNamespaceAware(true);
         BUILDER_FACTORY.setCoalescing(true);
         BUILDER_FACTORY.setIgnoringElementContentWhitespace(true);
diff --git a/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java b/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java
index ee5b27b2e7c704fc2531899b41241cb10f8ab15d..4ae65f31f72a6240e92d85be49e07c4f70b3115d 100644 (file)
--- a/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java
+++ b/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java
@@ -49,6 +49,15 @@ public final class XmlUtil {
 
     static {
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        try {
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            factory.setXIncludeAware(false);
+            factory.setExpandEntityReferences(false);
+        } catch (ParserConfigurationException e) {
+            throw new ExceptionInInitializerError(e);
+        }
         factory.setNamespaceAware(true);
         factory.setCoalescing(true);
         factory.setIgnoringElementContentWhitespace(true);
diff --git a/opendaylight/netconf/netconf-util/src/test/java/org/opendaylight/controller/netconf/util/xml/XmlUtilTest.java b/opendaylight/netconf/netconf-util/src/test/java/org/opendaylight/controller/netconf/util/xml/XmlUtilTest.java
index 3796dd996ae47179265837c488a58aa52c60870d..79aa565df9bcf7a0392938be0184384393275c43 100644 (file)
--- a/opendaylight/netconf/netconf-util/src/test/java/org/opendaylight/controller/netconf/util/xml/XmlUtilTest.java
+++ b/opendaylight/netconf/netconf-util/src/test/java/org/opendaylight/controller/netconf/util/xml/XmlUtilTest.java
@@ -61,6 +61,18 @@ public class XmlUtilTest {
 
     }
 
+    @Test(expected = SAXParseException.class)
+    public void testXXEFlaw() throws Exception {
+        XmlUtil.readXmlToDocument("<!DOCTYPE foo [  \n" +
+                "<!ELEMENT foo ANY >\n" +
+                "<!ENTITY xxe SYSTEM \"file:///etc/passwd\" >]>\n" +
+                "<hello xmlns=\"urn:ietf:params:xml:ns:netconf:base:1.0\">\n" +
+                "  <capabilities>\n" +
+                "    <capability>urn:ietf:params:netconf:base:1.0 &xxe;</capability>\n" +
+                "  </capabilities>\n" +
+                "  </hello>]]>]]>");
+    }
+
     @Test
     public void testXPath() throws Exception {
         final XPathExpression correctXPath = XMLNetconfUtil.compileXPath("/top/innerText");
OpenDaylight controller