Skip to content

Commit dba932f

Browse files
committed
prevent external entity injection in XML Document Factory parsing
1 parent 663f290 commit dba932f

File tree

1 file changed

+36
-33
lines changed
  • imagetool/src/main/java/com/oracle/weblogic/imagetool/util

1 file changed

+36
-33
lines changed

imagetool/src/main/java/com/oracle/weblogic/imagetool/util/HttpUtil.java

Lines changed: 36 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,9 @@
88
import java.io.StringReader;
99
import java.util.ArrayList;
1010
import java.util.List;
11-
import java.util.logging.Logger;
11+
import javax.xml.XMLConstants;
1212
import javax.xml.parsers.DocumentBuilder;
1313
import javax.xml.parsers.DocumentBuilderFactory;
14-
import javax.xml.parsers.ParserConfigurationException;
1514

1615
import com.oracle.weblogic.imagetool.logging.LoggingFacade;
1716
import com.oracle.weblogic.imagetool.logging.LoggingFactory;
@@ -42,6 +41,37 @@ public class HttpUtil {
4241

4342
private static final LoggingFacade logger = LoggingFactory.getLogger(HttpUtil.class);
4443

44+
private static Document parseXmlString(String xmlString) throws ClientProtocolException {
45+
logger.entering(xmlString);
46+
47+
try {
48+
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
49+
try {
50+
factory.setXIncludeAware(false);
51+
factory.setExpandEntityReferences(false);
52+
} catch (Throwable ex) {
53+
logger.warning("Failed to set XML factory feature: {0}", ex.getLocalizedMessage());
54+
}
55+
56+
try {
57+
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
58+
} catch (Throwable ex) {
59+
logger.warning("Failed to set FEATURE_SECURE_PROCESSING: {0}", ex.getLocalizedMessage());
60+
}
61+
62+
DocumentBuilder builder = factory.newDocumentBuilder();
63+
InputSource input = new InputSource(new StringReader(xmlString));
64+
Document doc = builder.parse(input);
65+
logger.finest(doc);
66+
logger.exiting();
67+
return doc;
68+
} catch (SAXException ex) {
69+
throw new ClientProtocolException("Malformed XML document", ex);
70+
} catch (Exception g) {
71+
throw new IllegalStateException(g);
72+
}
73+
}
74+
4575
/**
4676
* Return the xml result of a GET from the url.
4777
*
@@ -57,21 +87,8 @@ public static Document getXMLContent(String url, String username, String passwor
5787
String xmlString = Executor.newInstance(getOraClient(username, password))
5888
.execute(Request.Get(url).connectTimeout(30000).socketTimeout(30000))
5989
.returnContent().asString();
60-
try {
61-
DocumentBuilderFactory dbfac = DocumentBuilderFactory.newInstance();
62-
DocumentBuilder docBuilder = dbfac.newDocumentBuilder();
63-
InputSource is = new InputSource(new StringReader(xmlString));
64-
Document doc = docBuilder.parse(is);
65-
logger.finest(doc);
66-
logger.exiting();
67-
return doc;
68-
} catch (ParserConfigurationException ex) {
69-
throw new IllegalStateException(ex);
70-
} catch (SAXException ex) {
71-
throw new ClientProtocolException("Malformed XML document", ex);
72-
} catch (Exception g) {
73-
throw new IllegalStateException(g);
74-
}
90+
logger.exiting();
91+
return parseXmlString(xmlString);
7592
}
7693

7794
private static HttpClient getOraClient(String userId, String password) {
@@ -164,22 +181,8 @@ public static Document postCheckConflictRequest(String url, String payload, Stri
164181
String xmlString =
165182
httpExecutor.execute(Request.Post(url).connectTimeout(30000).socketTimeout(30000).body(entity))
166183
.returnContent().asString();
167-
logger.finest("Returned Raw result: {0}", xmlString);
168-
try {
169-
DocumentBuilderFactory dbfac = DocumentBuilderFactory.newInstance();
170-
DocumentBuilder docBuilder = dbfac.newDocumentBuilder();
171-
InputSource is = new InputSource(new StringReader(xmlString));
172-
Document doc = docBuilder.parse(is);
173-
logger.finest(doc);
174-
logger.exiting();
175-
return doc;
176-
} catch (ParserConfigurationException ex) {
177-
throw new IllegalStateException(ex);
178-
} catch (SAXException ex) {
179-
throw new ClientProtocolException("Malformed XML document", ex);
180-
} catch (Exception g) {
181-
throw new IllegalStateException(g);
182-
}
184+
logger.exiting();
185+
return parseXmlString(xmlString);
183186

184187
}
185188

0 commit comments

Comments
 (0)