Fix CWE-611

This commit fixes the issue described on https://cwe.mitre.org/data/definitions/611.html test
gturri · Oct 15, 2020 · ad6615b · ad6615b
1 parent 2e59d03
commit ad6615b
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/Changelog b/Changelog
@@ -1,3 +1,5 @@
+Fix security issue CWE-611
+
 1.12.0
 Add flag ACCEPT_NULL_DATES
 

diff --git a/src/main/java/de/timroes/axmlrpc/ResponseParser.java b/src/main/java/de/timroes/axmlrpc/ResponseParser.java
@@ -10,6 +10,7 @@
 
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.transform.OutputKeys;
 import javax.xml.transform.Transformer;
 import javax.xml.transform.TransformerException;
@@ -45,9 +46,17 @@ public class ResponseParser {
  public Object parse(SerializerHandler serializerHandler, InputStream response, boolean debugMode) throws XMLRPCException {
 
  try {
-
  DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+
+ // Ensure the xml parser won't allow exploitation of the vuln CWE-611
+ // (described on https://cwe.mitre.org/data/definitions/611.html )
+ factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+ factory.setExpandEntityReferences(false);
  factory.setNamespaceAware(true);
+ factory.setXIncludeAware(false);
+ factory.setExpandEntityReferences(false);
+ // End of the configuration of the parser for CWE-611
+
  DocumentBuilder builder = factory.newDocumentBuilder();
  Document dom = builder.parse(response);
  if (debugMode ){