mirrors/nomulus
1
0
Fork 0
mirror of https://github.com/google/nomulus synced 2026-01-08 15:21:46 +00:00
Code Issues Releases Wiki Activity

Better configure DocumentBuilderFactory to help prevent XXE (#2132)

Browse Source 
For more information see: https://community.veracode.com/s/article/Java-Remediation-Guidance-for-XXE
This commit is contained in:
Ben McIlwain
2023-08-30 10:17:37 -04:00
committed by GitHub
parent ebf07833e5
commit 6b5ec36eed
3 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
core/src/main/java/google/registry/flows/EppXmlSanitizer.java
View File

@@ -165,6 +165,9 @@ public class EppXmlSanitizer {
xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, true);
// Preserve Name Space information.
xmlInputFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, true);
// Prevent XXE attacks.
xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
xmlInputFactory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
return xmlInputFactory;
}
}

4
core/src/main/java/google/registry/tmch/TmchXmlSignature.java
View File

@@ -111,6 +111,10 @@ public class TmchXmlSignature {
dbf.setSchema(SCHEMA);
dbf.setAttribute("http://apache.org/xml/features/validation/schema/normalized-value", false);
dbf.setNamespaceAware(true);
// Disable DTDs
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setXIncludeAware(false); // disable XML Inclusions
dbf.setExpandEntityReferences(false); // disable expand entity reference nodes
return dbf.newDocumentBuilder().parse(input);
}