Commits

Oswaldo Hernandez  committed 92f43e6

Protect loading of DefaultConfiguration against XML vulnerabilities by:
- Enabling secure processing feature in the xml parser. This will place limits so xml entities are not expanded recursively and exhaust memory.
- Not resolving external references to unknown xml entities by switching of the "http://xml.org/sax/features/external-general-entities";
and "http://xml.org/sax/features/external-parameter-entities"; features and disabling loading of external dtds.
- Ensure we build a non-validating parser.

  • Participants
  • Parent commits 9eb05f4

Comments (0)

Files changed (1)

File src/java/com/opensymphony/workflow/config/DefaultConfiguration.java

 import com.opensymphony.workflow.FactoryException;
 import com.opensymphony.workflow.StoreException;
 import com.opensymphony.workflow.loader.*;
-import com.opensymphony.workflow.loader.ClassLoaderUtil;
 import com.opensymphony.workflow.spi.WorkflowStore;
 import com.opensymphony.workflow.util.DefaultVariableResolver;
 import com.opensymphony.workflow.util.VariableResolver;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
 
-import org.w3c.dom.*;
-
+import javax.xml.XMLConstants;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 import java.io.InputStream;
 import java.io.Serializable;
-
 import java.net.URL;
-
-import java.util.*;
-
-import javax.xml.parsers.*;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Properties;
 
 
 /**
         }
 
         try {
-            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
             dbf.setNamespaceAware(true);
+            dbf.setValidating(false);
+            dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+            dbf.setAttribute("http://apache.org/xml/features/nonvalidating/load-external-dtd", Boolean.FALSE);
+            dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
 
             DocumentBuilder db;