From 6f72113a37a1b9182a42447385fef357fcf1f0a5 Mon Sep 17 00:00:00 2001
From: TIANYOU CHEN <42710806+CTY-git@users.noreply.github.com>
Date: Fri, 2 May 2025 10:54:03 +0800
Subject: [PATCH] Fix timing attack vulnerability in AdminAPI.java and XML
 parsing vulnerability in ServletUtil.java

---
 .../ibm/security/appscan/altoromutual/api/AdminAPI.java    | 7 ++++---
 .../security/appscan/altoromutual/util/ServletUtil.java    | 7 +++++++
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java b/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java
index 5c65640..b8101a6 100644
--- a/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java
+++ b/src/com/ibm/security/appscan/altoromutual/api/AdminAPI.java
@@ -8,6 +8,7 @@
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
+import java.security.MessageDigest;
 
 import org.apache.wink.json4j.*;
 
@@ -46,8 +47,8 @@ public Response changePassword(String bodyJSON, @Context HttpServletRequest requ
 				|| password2 == null || password2.trim().length() == 0)
 				return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("{\"error\":\"An error has occurred. Please try again later.\"}").build();
 		
-		if (!password1.equals(password2)){
-			return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("{\"error\":\"Entered passwords did not match.\"}").build();
+		if (!MessageDigest.isEqual(password1.getBytes(), password2.getBytes())){
+			return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("{\"error\":\"Entered passwords did not match.\"}").build();;
 		}
 	
 		String error = null;
@@ -93,7 +94,7 @@ public Response addUser(String bodyJSON, @Context HttpServletRequest request) th
 			|| password2 == null || password2.trim().length() == 0)
 			return Response.status(Response.Status.BAD_REQUEST).entity("{\"error\":\"An error has occurred. Please try again later.\"}").build();
 		
-		if (!password1.equals(password2)){
+		if (!MessageDigest.isEqual(password1.getBytes(), password2.getBytes())){
 			return Response.status(Response.Status.BAD_REQUEST).entity("{\"error\":\"Entered passwords did not match.\"}").build();
 		}
 		
diff --git a/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java b/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java
index 6524e35..bb125e9 100644
--- a/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java
+++ b/src/com/ibm/security/appscan/altoromutual/util/ServletUtil.java
@@ -94,6 +94,13 @@ public static String[] searchArticles(String query, String path) {
 		try {
 			document = DocumentBuilderFactory.newInstance()
 					.newDocumentBuilder().parse(file);
+        dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+        dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        dbf.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        dbf.setXIncludeAware(false);
+        dbf.setExpandEntityReferences(false);
+
 			// root node
 			NodeList nodes = document.getElementsByTagName("news");