From ae5128a785c80dd9f32dce22ee85a9e30d972885 Mon Sep 17 00:00:00 2001 From: Jeremy Landis Date: Wed, 25 Sep 2024 19:09:39 -0400 Subject: [PATCH 1/2] [secure] Add more security --- src/main/java/com/ibatis/common/xml/NodeletParser.java | 4 ++++ .../sqlmap/engine/mapping/statement/MappedStatement.java | 2 ++ .../sqlmap/engine/mapping/statement/RowHandlerCallback.java | 3 +++ 3 files changed, 9 insertions(+) diff --git a/src/main/java/com/ibatis/common/xml/NodeletParser.java b/src/main/java/com/ibatis/common/xml/NodeletParser.java index cf085958..86b7813d 100644 --- a/src/main/java/com/ibatis/common/xml/NodeletParser.java +++ b/src/main/java/com/ibatis/common/xml/NodeletParser.java @@ -197,6 +197,8 @@ private Document createDocument(Reader reader) throws ParserConfigurationException, FactoryConfigurationError, SAXException, IOException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); factory.setValidating(validation); factory.setNamespaceAware(false); @@ -244,6 +246,8 @@ private Document createDocument(InputStream inputStream) throws ParserConfigurationException, FactoryConfigurationError, SAXException, IOException { DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + factory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); factory.setValidating(validation); factory.setNamespaceAware(false); diff --git a/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/MappedStatement.java b/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/MappedStatement.java index cfd26595..edc422d6 100644 --- a/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/MappedStatement.java +++ b/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/MappedStatement.java @@ -454,6 +454,8 @@ private Document stringToDocument(String s) { try { DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); documentBuilderFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); + documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + documentBuilderFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); DocumentBuilder documentBuilder = documentBuilderFactory.newDocumentBuilder(); return documentBuilder.parse(new ReaderInputStream(new StringReader(s))); } catch (Exception e) { diff --git a/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/RowHandlerCallback.java b/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/RowHandlerCallback.java index 3f0add01..a3450508 100644 --- a/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/RowHandlerCallback.java +++ b/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/RowHandlerCallback.java @@ -24,6 +24,7 @@ import java.sql.ResultSet; import java.sql.SQLException; +import javax.xml.XMLConstants; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; @@ -108,6 +109,8 @@ private String documentToString(Document document) { try { TransformerFactory tFactory = TransformerFactory.newInstance(); + tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); + tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); Transformer transformer = tFactory.newTransformer(); DOMSource source = new DOMSource(document); From 12b5589bd78263025921b126881b749752694316 Mon Sep 17 00:00:00 2001 From: Jeremy Landis Date: Wed, 25 Sep 2024 19:34:11 -0400 Subject: [PATCH 2/2] [revert] Transformer doesn't like that one, try without it to see if rest of tests work --- .../sqlmap/engine/mapping/statement/RowHandlerCallback.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/RowHandlerCallback.java b/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/RowHandlerCallback.java index a3450508..3f0add01 100644 --- a/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/RowHandlerCallback.java +++ b/src/main/java/com/ibatis/sqlmap/engine/mapping/statement/RowHandlerCallback.java @@ -24,7 +24,6 @@ import java.sql.ResultSet; import java.sql.SQLException; -import javax.xml.XMLConstants; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; @@ -109,8 +108,6 @@ private String documentToString(Document document) { try { TransformerFactory tFactory = TransformerFactory.newInstance(); - tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, ""); - tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_SCHEMA, ""); Transformer transformer = tFactory.newTransformer(); DOMSource source = new DOMSource(document);