fix(XML解析相关功能): 修复xml解析时未禁止外部实体引用而产生的xxe漏洞
修复xml解析时未禁止外部实体引用而产生的xxe漏洞
This commit is contained in:
parent
d6e31834fd
commit
5050fdcdfa
|
@ -3,6 +3,7 @@ package io.metersphere.api.dto.automation.parse;
|
|||
import com.alibaba.fastjson.JSONArray;
|
||||
import io.metersphere.api.dto.automation.EsbDataStruct;
|
||||
import io.metersphere.commons.utils.LogUtil;
|
||||
import io.metersphere.commons.utils.XMLUtils;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.dom4j.Document;
|
||||
import org.dom4j.DocumentHelper;
|
||||
|
@ -29,6 +30,7 @@ public class EsbDataParser {
|
|||
}
|
||||
// 创建解析器工厂
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
XMLUtils.setExpandEntityReferencesFalse(factory);
|
||||
DocumentBuilder db = factory.newDocumentBuilder();
|
||||
Document document = DocumentHelper.createDocument();
|
||||
EsbDataStruct dataStruct = selectEsbDataStructByNameStruct(esbDataList, paramArr, 0);
|
||||
|
|
|
@ -6,6 +6,7 @@ import io.metersphere.api.dto.automation.TcpTreeTableDataStruct;
|
|||
import io.metersphere.api.dto.mock.MockConfigRequestParams;
|
||||
import io.metersphere.api.mock.utils.MockApiUtils;
|
||||
import io.metersphere.commons.utils.LogUtil;
|
||||
import io.metersphere.commons.utils.XMLUtils;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.dom4j.Document;
|
||||
import org.dom4j.DocumentHelper;
|
||||
|
@ -33,6 +34,7 @@ public class TcpTreeTableDataParser {
|
|||
}
|
||||
// 创建解析器工厂
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
XMLUtils.setExpandEntityReferencesFalse(factory);
|
||||
DocumentBuilder db = factory.newDocumentBuilder();
|
||||
Document document = DocumentHelper.createDocument();
|
||||
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package io.metersphere.api.parse;
|
||||
|
||||
import io.metersphere.commons.utils.LogUtil;
|
||||
import io.metersphere.commons.utils.XMLUtils;
|
||||
import io.metersphere.jmeter.utils.ScriptEngineUtils;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.w3c.dom.Document;
|
||||
|
@ -32,6 +33,7 @@ public class JmeterDocumentParser {
|
|||
public static byte[] parse(byte[] source) {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
XMLUtils.setExpandEntityReferencesFalse(factory);
|
||||
try (
|
||||
ByteArrayInputStream byteStream = new ByteArrayInputStream(source)
|
||||
) {
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
package io.metersphere.api.parse.old;
|
||||
|
||||
import io.metersphere.commons.utils.LogUtil;
|
||||
import io.metersphere.commons.utils.XMLUtils;
|
||||
import io.metersphere.jmeter.utils.ScriptEngineUtils;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
import org.w3c.dom.Document;
|
||||
|
@ -34,6 +35,7 @@ public class JmeterDocumentParser {
|
|||
public static byte[] parse(byte[] source) {
|
||||
|
||||
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
|
||||
XMLUtils.setExpandEntityReferencesFalse(factory);
|
||||
try (
|
||||
ByteArrayInputStream byteStream = new ByteArrayInputStream(source)
|
||||
) {
|
||||
|
|
|
@ -1347,10 +1347,12 @@ public class MockConfigService {
|
|||
boolean isXml = false;
|
||||
try {
|
||||
DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
|
||||
XMLUtils.setExpandEntityReferencesFalse(documentBuilderFactory);
|
||||
DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder();
|
||||
builder.parse(new InputSource(new ByteArrayInputStream(message.getBytes("utf-8"))));
|
||||
isXml = true;
|
||||
} catch (Exception e) {
|
||||
e.printStackTrace();
|
||||
}
|
||||
return isXml;
|
||||
}
|
||||
|
|
|
@ -4,11 +4,31 @@ import com.alibaba.fastjson.JSONArray;
|
|||
import com.alibaba.fastjson.JSONObject;
|
||||
import org.apache.commons.lang3.StringUtils;
|
||||
|
||||
import javax.xml.parsers.DocumentBuilderFactory;
|
||||
import java.util.*;
|
||||
import java.util.regex.*;
|
||||
|
||||
public class XMLUtils {
|
||||
|
||||
public static void setExpandEntityReferencesFalse(DocumentBuilderFactory documentBuilderFactory){
|
||||
try {
|
||||
String FEATURE = null;
|
||||
FEATURE = "http://javax.xml.XMLConstants/feature/secure-processing";
|
||||
documentBuilderFactory.setFeature(FEATURE, true);
|
||||
FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
|
||||
documentBuilderFactory.setFeature(FEATURE, true);
|
||||
FEATURE = "http://xml.org/sax/features/external-parameter-entities";
|
||||
documentBuilderFactory.setFeature(FEATURE, false);
|
||||
FEATURE = "http://xml.org/sax/features/external-general-entities";
|
||||
documentBuilderFactory.setFeature(FEATURE, false);
|
||||
FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
|
||||
documentBuilderFactory.setFeature(FEATURE, false);
|
||||
documentBuilderFactory.setXIncludeAware(false);
|
||||
documentBuilderFactory.setExpandEntityReferences(false);
|
||||
}catch (Exception e){
|
||||
LogUtil.error(e);
|
||||
}
|
||||
}
|
||||
private static void jsonToXmlStr(JSONObject jObj, StringBuffer buffer, StringBuffer tab) {
|
||||
Set<Map.Entry<String, Object>> se = jObj.entrySet();
|
||||
StringBuffer nowTab = new StringBuffer(tab.toString());
|
||||
|
|
Loading…
Reference in New Issue