Prevent XXE vulnerability

Snipx · Snipx · commit 930a1c81f8ea · 2017-05-24T12:18:43.000+03:00
DEVSIX-1273
diff --git a/forms/src/main/java/com/itextpdf/forms/xfa/XfaForm.java b/forms/src/main/java/com/itextpdf/forms/xfa/XfaForm.java
@@ -57,6 +57,7 @@ This file is part of the iText (R) project.
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
@@ -69,6 +70,7 @@ This file is part of the iText (R) project.
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.StringReader;
 import java.nio.charset.StandardCharsets;
 import java.util.HashMap;
 import java.util.Map;
@@ -486,6 +488,7 @@ public void fillXfaForm(InputSource is, boolean readOnly) throws IOException {
         DocumentBuilder db;
         try {
             db = dbf.newDocumentBuilder();
+            db.setEntityResolver(new SafeEmptyEntityResolver());
             Document newdoc = db.parse(is);
             fillXfaForm(newdoc.getDocumentElement(), readOnly);
         } catch (ParserConfigurationException e) {
@@ -619,6 +622,7 @@ private void initXfaForm(InputStream inputStream) throws ParserConfigurationExce
         DocumentBuilderFactory fact = DocumentBuilderFactory.newInstance();
         fact.setNamespaceAware(true);
         DocumentBuilder db = fact.newDocumentBuilder();
+        db.setEntityResolver(new SafeEmptyEntityResolver());
         setDomDocument(db.parse(inputStream));
         xfaPresent = true;
     }
@@ -680,4 +684,11 @@ private Node findDataNode(Node datasetsNode) {
         return null;
     }
 
+    // Prevents XXE attacks
+    private static class SafeEmptyEntityResolver implements EntityResolver {
+        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+            return new InputSource(new StringReader(""));
+        }
+    }
+
 }
diff --git a/kernel/src/main/java/com/itextpdf/kernel/utils/XmlUtils.java b/kernel/src/main/java/com/itextpdf/kernel/utils/XmlUtils.java
@@ -42,9 +42,12 @@ This file is part of the iText (R) project.
  */
 package com.itextpdf.kernel.utils;
 
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
+import org.w3c.dom.Document;
+import org.xml.sax.EntityResolver;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.parsers.ParserConfigurationException;
@@ -54,12 +57,18 @@ This file is part of the iText (R) project.
 import javax.xml.transform.TransformerFactory;
 import javax.xml.transform.dom.DOMSource;
 import javax.xml.transform.stream.StreamResult;
-import org.w3c.dom.Document;
-import org.xml.sax.SAXException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.StringReader;
 
 class XmlUtils {
     public static void writeXmlDocToStream(Document xmlReport, OutputStream stream) throws TransformerException {
         TransformerFactory tFactory = TransformerFactory.newInstance();
+        try {
+            tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+            tFactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
+        } catch (Exception exc) {}
         Transformer transformer = tFactory.newTransformer();
         transformer.setOutputProperty(OutputKeys.INDENT, "yes");
         DOMSource source = new DOMSource(xmlReport);
@@ -74,6 +83,7 @@ public static boolean compareXmls(InputStream xml1, InputStream xml2) throws Par
         dbf.setIgnoringElementContentWhitespace(true);
         dbf.setIgnoringComments(true);
         DocumentBuilder db = dbf.newDocumentBuilder();
+        db.setEntityResolver(new SafeEmptyEntityResolver());
 
         Document doc1 = db.parse(xml1);
         doc1.normalizeDocument();
@@ -87,4 +97,12 @@ public static boolean compareXmls(InputStream xml1, InputStream xml2) throws Par
     public static Document initNewXmlDocument() throws ParserConfigurationException {
         return DocumentBuilderFactory.newInstance().newDocumentBuilder().newDocument();
     }
+
+    // Prevents XXE attacks
+    private static class SafeEmptyEntityResolver implements EntityResolver {
+        public InputSource resolveEntity(String publicId, String systemId) throws SAXException, IOException {
+            return new InputSource(new StringReader(""));
+        }
+    }
+
 }
