#4: Security fix: XXEs are now not resolved anymore

CompassSecurity · Sep 24, 2015 · eb72dc6 · eb72dc6
1 parent 6578eab
commit eb72dc6
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
 	<description>SAML2 Burp Suite Extension</description>
 	<groupId>ch.hsr</groupId>
 	<artifactId>saml-raider</artifactId>
-	<version>1.1.0-SNAPSHOT</version>
+	<version>1.1.1-SNAPSHOT</version>
 	<modelVersion>4.0.0</modelVersion>
 	  <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

diff --git a/src/main/java/helpers/XMLHelpers.java b/src/main/java/helpers/XMLHelpers.java
@@ -62,9 +62,18 @@ public class XMLHelpers {
 	 * @return DocumentBuilderFactory NamespaceAware
 	 */
 	public DocumentBuilderFactory getDBF() {
-		DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
-		documentBuilderFactory.setNamespaceAware(true);
-		return documentBuilderFactory;
+		try {
+			DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+			documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+			documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+			documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+			documentBuilderFactory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING , true);
+			documentBuilderFactory.setNamespaceAware(true);
+			return documentBuilderFactory;
+		} catch (ParserConfigurationException e) {
+			e.printStackTrace();
+		}
+		return null;
 	}
 
 	/**