fix(core): added fix for xml parser (#3100)

banji180 · Banji Jolaoso · web-flow · commit c3e6d69422e1 · 2022-12-04T23:56:38.000-08:00
* added fix for xml parser vulnerability

* added fix for xml parser vulnerability

Co-authored-by: Banji Jolaoso &lt;banjij@amazon.com&gt;
diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/regions/RegionMetadataParser.java b/aws-android-sdk-core/src/main/java/com/amazonaws/regions/RegionMetadataParser.java
@@ -109,9 +109,10 @@ private static List<Region> internalParse(
         Document document;
         try {
 
-            DocumentBuilderFactory factory =
-                    DocumentBuilderFactory.newInstance();
-
+            DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setXIncludeAware(false);
+            factory.setExpandEntityReferences(false);
             DocumentBuilder documentBuilder = factory.newDocumentBuilder();
             document = documentBuilder.parse(input);
 
diff --git a/aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java b/aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java
@@ -45,7 +45,25 @@ public class XpathUtils {
     /** Shared logger */
     private static Log log = LogFactory.getLog(XpathUtils.class);
 
-    private static DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+    private static DocumentBuilderFactory factory = getDocumentBuilderFactory();
+
+
+    /**
+     * Creates new documentbuilderfactory object
+     * @return DocumentBuilderFactory.
+     */
+    private static DocumentBuilderFactory getDocumentBuilderFactory() {
+        try {
+            DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+            dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            dbf.setXIncludeAware(false); // Default false for java 8. Disable XML Inclusions leading to SSRF - https://portswigger.net/web-security/xxe/lab-xinclude-attack
+            dbf.setExpandEntityReferences(false);
+            return dbf;
+        }
+        catch (ParserConfigurationException exception){
+            return null;
+        }
+    }
 
     /**
      * InputStream to Document.
