Fix External Entity Injection

egru · egru · commit 2250ae589aab · 2016-10-26T21:34:17.000-05:00
diff --git a/src/main/java/com/ibm/wsdl/xml/WSDLReaderImpl.java b/src/main/java/com/ibm/wsdl/xml/WSDLReaderImpl.java
@@ -7,6 +7,7 @@
 import java.io.*;
 import java.net.*;
 import java.util.*;
+import javax.xml.XMLConstants;
 import javax.xml.namespace.*;
 import javax.xml.parsers.*;
 
@@ -2209,7 +2210,8 @@ private static Document getDocument(InputSource inputSource,
                                       String desc) throws WSDLException
   {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-
+    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
     factory.setNamespaceAware(true);
     factory.setValidating(false);
 
diff --git a/src/main/java/com/ibm/wsdl/xml/WSDLWriterImpl.java b/src/main/java/com/ibm/wsdl/xml/WSDLWriterImpl.java
@@ -6,6 +6,7 @@
 
 import java.io.*;
 import java.util.*;
+import javax.xml.XMLConstants;
 import javax.xml.namespace.*;
 import javax.xml.parsers.*;
 import org.w3c.dom.*;
@@ -1004,7 +1005,8 @@ private static Document getDocument(InputSource inputSource,
                                       String desc) throws WSDLException
   {
     DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
-
+    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+    factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
     factory.setNamespaceAware(true);
     factory.setValidating(false);
 
diff --git a/src/main/java/org/reficio/ws/common/XmlUtils.java b/src/main/java/org/reficio/ws/common/XmlUtils.java
@@ -25,6 +25,7 @@
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -83,6 +84,8 @@ public static Source xmlStringToSource(String xmlString) {
         StringReader reader = new StringReader(xmlString);
         InputSource src = new InputSource(reader);
         DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+        dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
         try {
             DocumentBuilder db = dbf.newDocumentBuilder();
             Document dom = db.parse(src);
@@ -138,6 +141,8 @@ public static String serializePretty(Document document) {
     public static String normalizeAndRemoveValues(String xmlContent) {
         try {
             DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
             dbf.setNamespaceAware(true);
             dbf.setCoalescing(true);
             dbf.setIgnoringElementContentWhitespace(true);
diff --git a/src/main/java/org/reficio/ws/legacy/XmlUtils.java b/src/main/java/org/reficio/ws/legacy/XmlUtils.java
@@ -29,6 +29,7 @@
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
+import javax.xml.XMLConstants;
 import javax.xml.namespace.QName;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
@@ -276,6 +277,8 @@ private static DocumentBuilder ensureDocumentBuilder() {
         if (documentBuilder == null) {
             try {
                 DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+                dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+                dbf.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, "");
                 dbf.setNamespaceAware(true);
                 documentBuilder = dbf.newDocumentBuilder();
             } catch (ParserConfigurationException e) {
