Skip to content

Commit 93bf55b

Browse files
rajat-gargrajatgarg
rajat-garg
and
rajatgarg
authored
[BAEL-7652] Fix XXE Vulnerability by creating a SecureDocumentBuilderFactory (#17732)
Co-authored-by: rajatgarg <[email protected]>
1 parent 09ea288 commit 93bf55b

File tree

3 files changed

+28
-6
lines changed

3 files changed

+28
-6
lines changed

xml/src/main/java/com/baeldung/xml/DefaultParser.java

+7-5
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
package com.baeldung.xml;
22

3+
import static com.baeldung.xml.SecureDocumentBuilderFactory.newSecureDocumentBuilderFactory;
4+
35
import java.io.File;
46
import java.io.FileInputStream;
57
import java.io.IOException;
@@ -31,7 +33,7 @@ public NodeList getFirstLevelNodeList() {
3133
NodeList nodeList = null;
3234
try {
3335
FileInputStream fileIS = new FileInputStream(this.getFile());
34-
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
36+
DocumentBuilderFactory builderFactory = newSecureDocumentBuilderFactory();
3537

3638
DocumentBuilder builder = builderFactory.newDocumentBuilder();
3739

@@ -52,7 +54,7 @@ public NodeList getFirstLevelNodeList() {
5254
public Node getNodeById(String id) {
5355
Node node = null;
5456
try {
55-
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
57+
DocumentBuilderFactory builderFactory = newSecureDocumentBuilderFactory();
5658

5759
DocumentBuilder builder = builderFactory.newDocumentBuilder();
5860

@@ -73,7 +75,7 @@ public Node getNodeById(String id) {
7375
public NodeList getNodeListByTitle(String name) {
7476
NodeList nodeList = null;
7577
try {
76-
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
78+
DocumentBuilderFactory builderFactory = newSecureDocumentBuilderFactory();
7779

7880
DocumentBuilder builder = builderFactory.newDocumentBuilder();
7981

@@ -97,7 +99,7 @@ public NodeList getElementsByDate(String date) {
9799
NodeList nodeList = null;
98100

99101
try {
100-
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
102+
DocumentBuilderFactory builderFactory = newSecureDocumentBuilderFactory();
101103

102104
DocumentBuilder builder = builderFactory.newDocumentBuilder();
103105

@@ -120,7 +122,7 @@ public NodeList getElementsByDate(String date) {
120122
public NodeList getAllTutorials() {
121123
NodeList nodeList = null;
122124
try {
123-
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
125+
DocumentBuilderFactory builderFactory = newSecureDocumentBuilderFactory();
124126
builderFactory.setNamespaceAware(true);
125127
DocumentBuilder builder = builderFactory.newDocumentBuilder();
126128

xml/src/main/java/com/baeldung/xml/JaxenDemo.java

+3-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,7 @@
11
package com.baeldung.xml;
22

3+
import static com.baeldung.xml.SecureDocumentBuilderFactory.newSecureDocumentBuilderFactory;
4+
35
import java.io.File;
46
import java.io.FileInputStream;
57
import java.io.IOException;
@@ -26,7 +28,7 @@ public JaxenDemo(File file) {
2628
public List getAllTutorial() {
2729
try {
2830
FileInputStream fileIS = new FileInputStream(this.getFile());
29-
DocumentBuilderFactory builderFactory = DocumentBuilderFactory.newInstance();
31+
DocumentBuilderFactory builderFactory = newSecureDocumentBuilderFactory();
3032

3133
DocumentBuilder builder = builderFactory.newDocumentBuilder();
3234

xml/src/main/java/com/baeldung/xml/SecureDocumentBuilderFactory.java

+18
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
package com.baeldung.xml;
2+
3+
import javax.xml.parsers.DocumentBuilderFactory;
4+
import javax.xml.parsers.ParserConfigurationException;
5+
6+
public class SecureDocumentBuilderFactory {
7+
public static DocumentBuilderFactory newSecureDocumentBuilderFactory() throws ParserConfigurationException {
8+
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
9+
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
10+
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
11+
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
12+
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
13+
dbf.setFeature("http://apache.org/xml/features/dom/create-entity-ref-nodes", false);
14+
dbf.setExpandEntityReferences(false);
15+
dbf.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
16+
return dbf;
17+
}
18+
}

0 commit comments

Comments
 (0)