wechat/weixin-java-tools
1
0
Fork 0
mirror of https://gitee.com/binary/weixin-java-tools.git synced 2025-10-31 10:38:42 +08:00
Code Issues Packages Projects Releases Wiki Activity

🎨 #1427 fix XmlUtils.xml2Map() method which was vulnerable to XXE vulnerability

Browse Source
This commit is contained in:
Binary Wang
2020-03-28 22:16:53 +08:00
parent 1f49ac0781
commit a9cd7d2c2f
2 changed files with 29 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
weixin-java-common/src/main/java/me/chanjar/weixin/common/util/XmlUtils.java
View File

@ -1,21 +1,21 @@
package me.chanjar.weixin.common.util; package me.chanjar.weixin.common.util;
import java.io.StringReader; import com.google.common.collect.Lists;
import java.util.HashMap; import com.google.common.collect.Maps;
import java.util.List; import com.google.common.collect.Sets;
import java.util.Map;
import java.util.Set;
import org.dom4j.Document; import org.dom4j.Document;
import org.dom4j.DocumentException; import org.dom4j.DocumentException;
import org.dom4j.Element; import org.dom4j.Element;
import org.dom4j.Node; import org.dom4j.Node;
import org.dom4j.io.SAXReader; import org.dom4j.io.SAXReader;
import org.dom4j.tree.DefaultText; import org.dom4j.tree.DefaultText;
import org.xml.sax.SAXException;
import com.google.common.collect.Lists; import java.io.StringReader;
import com.google.common.collect.Maps; import java.util.HashMap;
import com.google.common.collect.Sets; import java.util.List;
import java.util.Map;
import java.util.Set;
/** /**
* <pre> * <pre>
@ -31,13 +31,18 @@ public class XmlUtils {
Map<String, Object> map = new HashMap<>(16); Map<String, Object> map = new HashMap<>(16);
try { try {
SAXReader saxReader = new SAXReader(); SAXReader saxReader = new SAXReader();
saxReader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
saxReader.setFeature("http://javax.xml.XMLConstants/feature/secure-processing", true);
saxReader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
saxReader.setFeature("http://xml.org/sax/features/external-general-entities", false);
saxReader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
Document doc = saxReader.read(new StringReader(xmlString)); Document doc = saxReader.read(new StringReader(xmlString));
Element root = doc.getRootElement(); Element root = doc.getRootElement();
List<Element> elements = root.elements(); List<Element> elements = root.elements();
for (Element element : elements) { for (Element element : elements) {
map.put(element.getName(), element2MapOrString(element)); map.put(element.getName(), element2MapOrString(element));
} }
} catch (DocumentException e) { } catch (DocumentException | SAXException e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }

15
weixin-java-common/src/test/java/me/chanjar/weixin/common/util/XmlUtilsTest.java
View File

@ -1,10 +1,10 @@
package me.chanjar.weixin.common.util; package me.chanjar.weixin.common.util;
import org.testng.annotations.Test;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import org.testng.annotations.*;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
/** /**
@ -17,6 +17,17 @@ import static org.assertj.core.api.Assertions.assertThat;
*/ */
public class XmlUtilsTest { public class XmlUtilsTest {
@Test(expectedExceptions = {RuntimeException.class})
public void testXml2Map_xxe() {
String xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\n" +
"<!DOCTYPE test [\n" +
"<!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n" +
"<!ENTITY xxe2 SYSTEM \"http://localhost/test.php\">\n" +
"]>\n" +
"<xml></xml>";
XmlUtils.xml2Map(xml);
}
@Test @Test
public void testXml2Map() { public void testXml2Map() {
String xml = "<xml>\n" + String xml = "<xml>\n" +