DEV-31192: Fixed injection abilities (#299)

alexpalchuk · web-flow · commit 0d59269e38ad · 2022-03-31T09:56:06.000+03:00
diff --git a/sawmill-core/src/main/java/io/logz/sawmill/utilities/DocumentBuilderProvider.java b/sawmill-core/src/main/java/io/logz/sawmill/utilities/DocumentBuilderProvider.java
@@ -7,12 +7,25 @@
 import javax.xml.parsers.ParserConfigurationException;
 
 public class DocumentBuilderProvider {
+
+    private static final String DISALLOW_DOCTYPE = "http://apache.org/xml/features/disallow-doctype-decl";
+    private static final String EXTERNAL_GENERAL_ENTITIES = "http://xml.org/sax/features/external-general-entities";
+    private static final String EXTERNAL_PARAMETER_ENTITIES = "http://xml.org/sax/features/external-parameter-entities";
+    private static final String LOAD_EXTERNAL_DTD = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+
     private final ThreadLocal<DocumentBuilder> localDocumentBuilder;
 
     public DocumentBuilderProvider() {
         localDocumentBuilder = ThreadLocal.withInitial(() -> {
             try {
-                return DocumentBuilderFactory.newInstance().newDocumentBuilder();
+                DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+                factory.setFeature(DISALLOW_DOCTYPE, true);
+                factory.setFeature(EXTERNAL_GENERAL_ENTITIES, false);
+                factory.setFeature(EXTERNAL_PARAMETER_ENTITIES, false);
+                factory.setFeature(LOAD_EXTERNAL_DTD, false);
+                factory.setXIncludeAware(false);
+                factory.setExpandEntityReferences(false);
+                return factory.newDocumentBuilder();
             } catch (ParserConfigurationException e) {
                 throw new ProcessorConfigurationException("failed to create document builder", e);
             }
diff --git a/sawmill-core/src/test/java/io/logz/sawmill/utilities/DocumentBuilderProviderTest.java b/sawmill-core/src/test/java/io/logz/sawmill/utilities/DocumentBuilderProviderTest.java
@@ -0,0 +1,26 @@
+package io.logz.sawmill.utilities;
+
+import java.io.InputStream;
+import javax.xml.parsers.DocumentBuilder;
+import org.junit.Test;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+
+public class DocumentBuilderProviderTest {
+
+    private static final String XML_FILE = "/test_xml_injection.xml";
+
+    @Test
+    public void testDocumentBuilderProviderReturnsNonNullEntity() {
+        DocumentBuilderProvider documentBuilderProvider = new DocumentBuilderProvider();
+        DocumentBuilder documentBuilder = documentBuilderProvider.provide();
+        assertThat(documentBuilder).isNotNull();
+    }
+
+    @Test
+    public void testParseXml() {
+        InputStream xmlFile = DocumentBuilderProviderTest.class.getResourceAsStream(XML_FILE);
+        assertThatThrownBy(() -> new DocumentBuilderProvider().provide().parse(xmlFile))
+                .hasMessageStartingWith("DOCTYPE is disallowed");
+    }
+}
diff --git a/sawmill-core/src/test/resources/test_xml_injection.xml b/sawmill-core/src/test/resources/test_xml_injection.xml
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///"> ]>
+<stockCheck><productId>&xxe;</productId></stockCheck>

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+<?xml version="1.0" encoding="UTF-8"?>`
	`2`	`+<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///"> ]>`
	`3`	`+<stockCheck><productId>&xxe;</productId></stockCheck>`