From 8ef160aa623096fc2905bb449997306bbec2b295 Mon Sep 17 00:00:00 2001 From: Maros Marsalek Date: Mon, 15 Dec 2014 11:03:56 +0100 Subject: [PATCH] BUG-2511 Fix XXE vulnerability in Netconf Change-Id: Ifc1d63fc632e7395a46d85fc2ccb9095e7008430 Signed-off-by: Maros Marsalek --- .../netconf/api/NetconfDocumentedException.java | 9 +++++++++ .../controller/netconf/util/xml/XmlUtil.java | 9 +++++++++ .../controller/netconf/util/xml/XmlUtilTest.java | 12 ++++++++++++ 3 files changed, 30 insertions(+) diff --git a/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java b/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java index e5f32653c5..e1e932b55a 100644 --- a/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java +++ b/opendaylight/netconf/netconf-api/src/main/java/org/opendaylight/controller/netconf/api/NetconfDocumentedException.java @@ -45,6 +45,15 @@ public class NetconfDocumentedException extends Exception { static { BUILDER_FACTORY = DocumentBuilderFactory.newInstance(); + try { + BUILDER_FACTORY.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + BUILDER_FACTORY.setFeature("http://xml.org/sax/features/external-general-entities", false); + BUILDER_FACTORY.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + BUILDER_FACTORY.setXIncludeAware(false); + BUILDER_FACTORY.setExpandEntityReferences(false); + } catch (ParserConfigurationException e) { + throw new ExceptionInInitializerError(e); + } BUILDER_FACTORY.setNamespaceAware(true); BUILDER_FACTORY.setCoalescing(true); BUILDER_FACTORY.setIgnoringElementContentWhitespace(true); diff --git a/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java b/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java index ee5b27b2e7..4ae65f31f7 100644 --- a/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java +++ b/opendaylight/netconf/netconf-util/src/main/java/org/opendaylight/controller/netconf/util/xml/XmlUtil.java @@ -49,6 +49,15 @@ public final class XmlUtil { static { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + try { + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://xml.org/sax/features/external-general-entities", false); + factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + factory.setXIncludeAware(false); + factory.setExpandEntityReferences(false); + } catch (ParserConfigurationException e) { + throw new ExceptionInInitializerError(e); + } factory.setNamespaceAware(true); factory.setCoalescing(true); factory.setIgnoringElementContentWhitespace(true); diff --git a/opendaylight/netconf/netconf-util/src/test/java/org/opendaylight/controller/netconf/util/xml/XmlUtilTest.java b/opendaylight/netconf/netconf-util/src/test/java/org/opendaylight/controller/netconf/util/xml/XmlUtilTest.java index 3796dd996a..79aa565df9 100644 --- a/opendaylight/netconf/netconf-util/src/test/java/org/opendaylight/controller/netconf/util/xml/XmlUtilTest.java +++ b/opendaylight/netconf/netconf-util/src/test/java/org/opendaylight/controller/netconf/util/xml/XmlUtilTest.java @@ -61,6 +61,18 @@ public class XmlUtilTest { } + @Test(expected = SAXParseException.class) + public void testXXEFlaw() throws Exception { + XmlUtil.readXmlToDocument("\n" + + "]>\n" + + "\n" + + " \n" + + " urn:ietf:params:netconf:base:1.0 &xxe;\n" + + " \n" + + " ]]>]]>"); + } + @Test public void testXPath() throws Exception { final XPathExpression correctXPath = XMLNetconfUtil.compileXPath("/top/innerText"); -- 2.36.6