Oswaldo Hernandez [Atlassian] Bugmaster  committed 04f16ce

Protect loading of workflows in XMLWorkflow factory against XML vulnerabilities by:
- Enabling secure processing feature in the xml parser. This will place limits so xml entities are not expanded recursively and exhaust memory.
- Not resolving external references to unknown xml entities by switching of the "";
and ""; features and disabling loading of external dtds.
- Ensure we build a non-validating parser.

  • Participants
  • Parent commits 4e9032b
  • Branches default

Comments (0)

Files changed (1)

File src/java/com/opensymphony/workflow/loader/

 import com.opensymphony.workflow.FactoryException;
 import com.opensymphony.workflow.InvalidWorkflowDescriptorException;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
-import org.w3c.dom.*;
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
-import java.util.*;
-import javax.xml.parsers.*;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
         try {
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            dbf.setValidating(false);
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dbf.setAttribute("", Boolean.FALSE);
+            dbf.setFeature("", false);
+            dbf.setFeature("", false);
             DocumentBuilder db;