This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit ee75746c2af7082f51c7624df4c721ebc7e41ef0
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Mon Mar 4 09:31:57 2024 +0100
Improved: [codeQL] Resolving specific Java issues (OFBIZ-12925)
Puts more control, better be safe than sorry.
---
.../accounting/thirdparty/eway/GatewayResponse.java | 16 ++++++++++++++--
.../apache/ofbiz/base/util/template/XslTransform.java | 4 ++++
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git
a/applications/accounting/src/main/java/org/apache/ofbiz/accounting/thirdparty/eway/GatewayResponse.java
b/applications/accounting/src/main/java/org/apache/ofbiz/accounting/thirdparty/eway/GatewayResponse.java
index e645f79062..b143ddf042 100644
---
a/applications/accounting/src/main/java/org/apache/ofbiz/accounting/thirdparty/eway/GatewayResponse.java
+++
b/applications/accounting/src/main/java/org/apache/ofbiz/accounting/thirdparty/eway/GatewayResponse.java
@@ -164,8 +164,20 @@ public class GatewayResponse {
*/
public GatewayResponse(InputStream xmlstream, GatewayRequest req) throws
Exception {
- DocumentBuilderFactory builderFactory = DocumentBuilderFactory
- .newInstance();
+ DocumentBuilderFactory builderFactory =
DocumentBuilderFactory.newInstance();
+ // Below is an answer to a codeQL action on GH reporting a possible XXE
+ // I have a doubt about "load-external-dtd" feature because I did not
test the changes.
+ builderFactory.setValidating(true);
+ builderFactory.setNamespaceAware(true);
+
+ builderFactory.setAttribute("http://xml.org/sax/features/validation";,
true);
+
builderFactory.setAttribute("http://apache.org/xml/features/validation/schema";,
true);
+
+
builderFactory.setFeature("http://xml.org/sax/features/external-general-entities";,
false);
+
builderFactory.setFeature("http://xml.org/sax/features/external-parameter-entities";,
false);
+
builderFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd";,
false);
+ builderFactory.setXIncludeAware(false);
+ builderFactory.setExpandEntityReferences(false);
DocumentBuilder builder = builderFactory.newDocumentBuilder();
Document doc = builder.parse(xmlstream);
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/XslTransform.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/XslTransform.java
index e5d970a00e..20a93092f4 100644
---
a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/XslTransform.java
+++
b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/XslTransform.java
@@ -21,6 +21,7 @@ package org.apache.ofbiz.base.util.template;
import java.io.IOException;
import java.io.StringWriter;
+import javax.xml.XMLConstants;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.transform.Templates;
import javax.xml.transform.Transformer;
@@ -48,6 +49,9 @@ public final class XslTransform {
public static String renderTemplate(String template, String data) throws
TransformerException {
String result = null;
TransformerFactory tfactory = TransformerFactory.newInstance();
+ tfactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+ tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
+ tfactory.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");
if (tfactory.getFeature(SAXSource.FEATURE)) {
// setup for xml data file preprocessing to be able to xinclude
SAXParserFactory pfactory = SAXParserFactory.newInstance();
