Commits

Oswaldo Hernandez committed 04f16ce

Protect loading of workflows in XMLWorkflow factory against XML vulnerabilities by:
- Enabling secure processing feature in the xml parser. This will place limits so xml entities are not expanded recursively and exhaust memory.
- Not resolving external references to unknown xml entities by switching of the "http://xml.org/sax/features/external-general-entities";
and "http://xml.org/sax/features/external-parameter-entities"; features and disabling loading of external dtds.
- Ensure we build a non-validating parser.

  • Participants
  • Parent commits 4e9032b

Comments (0)

Files changed (1)

File src/java/com/opensymphony/workflow/loader/XMLWorkflowFactory.java

 
 import com.opensymphony.workflow.FactoryException;
 import com.opensymphony.workflow.InvalidWorkflowDescriptorException;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 
-import org.w3c.dom.*;
-
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import java.io.*;
-
 import java.net.URL;
-
-import java.util.*;
-
-import javax.xml.parsers.*;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
 
 
 /**
         try {
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             dbf.setNamespaceAware(true);
+            dbf.setValidating(false);
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dbf.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd", Boolean.FALSE);
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
 
             DocumentBuilder db;