From eb72dc6edb3903dc0570c3881760bac370fd1511 Mon Sep 17 00:00:00 2001 From: Roland Bischofberger Date: Thu, 24 Sep 2015 14:50:07 +0200 Subject: [PATCH] #4: Security fix: XXEs are now not resolved anymore --- pom.xml | 2 +- src/main/java/helpers/XMLHelpers.java | 15 ++++++++++++--- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/pom.xml b/pom.xml index 73d6bac..12b53ed 100644 --- a/pom.xml +++ b/pom.xml @@ -5,7 +5,7 @@ SAML2 Burp Suite Extension ch.hsr saml-raider - 1.1.0-SNAPSHOT + 1.1.1-SNAPSHOT 4.0.0 UTF-8 diff --git a/src/main/java/helpers/XMLHelpers.java b/src/main/java/helpers/XMLHelpers.java index b9b03ec..baacd05 100644 --- a/src/main/java/helpers/XMLHelpers.java +++ b/src/main/java/helpers/XMLHelpers.java @@ -62,9 +62,18 @@ public class XMLHelpers { * @return DocumentBuilderFactory NamespaceAware */ public DocumentBuilderFactory getDBF() { - DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); - documentBuilderFactory.setNamespaceAware(true); - return documentBuilderFactory; + try { + DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance(); + documentBuilderFactory.setFeature("http://xml.org/sax/features/external-general-entities", false); + documentBuilderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false); + documentBuilderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities", false); + documentBuilderFactory.setFeature(javax.xml.XMLConstants.FEATURE_SECURE_PROCESSING , true); + documentBuilderFactory.setNamespaceAware(true); + return documentBuilderFactory; + } catch (ParserConfigurationException e) { + e.printStackTrace(); + } + return null; } /**