XXE vulnerability

Question

XXE vulnerability

seanboylan opened this issue 8 years ago · 2 comments

ezvcard.util.XMLUtils

private static Document toDocument(InputSource in) throws SAXException, IOException {
    DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
    factory.setNamespaceAware(true);
    factory.setIgnoringComments(true);

    DocumentBuilder builder;
    try {
        builder = factory.newDocumentBuilder();
    } catch (ParserConfigurationException e) {
        //should never be thrown because we're not doing anything fancy with the configuration
        throw new RuntimeException(e);
    }

    return builder.parse(in);
}

Has an XXE vulnerability - Please dsiable External xml entity processing:

References:
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing

Answer 1 · 2016-06-03T00:07:17.000Z

Thank you for reporting this, Sean. I will look into it.

Answer 2 · 2016-06-04T13:56:50.000Z

Fixed in e7822b7.