HDFS-16766. XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source (#4886)

Co-authored-by: Ashutosh Gupta <ashugpt@amazon.com>
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
This commit is contained in:
Ashutosh Gupta 2022-09-27 07:44:25 +01:00 committed by GitHub
parent 5d20988f9f
commit d9f435f6ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 0 deletions

View File

@ -89,6 +89,11 @@ public class ECPolicyLoader {
// Read and parse the EC policy file. // Read and parse the EC policy file.
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance(); DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setIgnoringComments(true); dbf.setIgnoringComments(true);
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setFeature("http://apache.org/xml/features/dom/create-entity-ref-nodes", false);
DocumentBuilder builder = dbf.newDocumentBuilder(); DocumentBuilder builder = dbf.newDocumentBuilder();
Document doc = builder.parse(policyFile); Document doc = builder.parse(policyFile);
Element root = doc.getDocumentElement(); Element root = doc.getDocumentElement();