fix(XML解析相关功能): 修复xml解析时未禁止外部实体引用而产生的xxe漏洞

修复xml解析时未禁止外部实体引用而产生的xxe漏洞

backend/src/main/java/io/metersphere/api/dto/automation/parse/EsbDataParser.java

@@ -3,6 +3,7 @@ package io.metersphere.api.dto.automation.parse;
 import com.alibaba.fastjson.JSONArray;
 import io.metersphere.api.dto.automation.EsbDataStruct;
 import io.metersphere.commons.utils.LogUtil;
+import io.metersphere.commons.utils.XMLUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.dom4j.Document;
 import org.dom4j.DocumentHelper;
@@ -29,6 +30,7 @@ public class EsbDataParser {
             }
             // 创建解析器工厂
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            XMLUtils.setExpandEntityReferencesFalse(factory);
             DocumentBuilder db = factory.newDocumentBuilder();
             Document document = DocumentHelper.createDocument();
             EsbDataStruct dataStruct = selectEsbDataStructByNameStruct(esbDataList, paramArr, 0);

backend/src/main/java/io/metersphere/api/dto/automation/parse/TcpTreeTableDataParser.java

@@ -6,6 +6,7 @@ import io.metersphere.api.dto.automation.TcpTreeTableDataStruct;
 import io.metersphere.api.dto.mock.MockConfigRequestParams;
 import io.metersphere.api.mock.utils.MockApiUtils;
 import io.metersphere.commons.utils.LogUtil;
+import io.metersphere.commons.utils.XMLUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.dom4j.Document;
 import org.dom4j.DocumentHelper;
@@ -33,6 +34,7 @@ public class TcpTreeTableDataParser {
             }
             // 创建解析器工厂
             DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+            XMLUtils.setExpandEntityReferencesFalse(factory);
             DocumentBuilder db = factory.newDocumentBuilder();
             Document document = DocumentHelper.createDocument();
 

backend/src/main/java/io/metersphere/api/parse/JmeterDocumentParser.java

@@ -1,6 +1,7 @@
 package io.metersphere.api.parse;
 
 import io.metersphere.commons.utils.LogUtil;
+import io.metersphere.commons.utils.XMLUtils;
 import io.metersphere.jmeter.utils.ScriptEngineUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.w3c.dom.Document;
@@ -32,6 +33,7 @@ public class JmeterDocumentParser {
     public static byte[] parse(byte[] source) {
 
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        XMLUtils.setExpandEntityReferencesFalse(factory);
         try (
                 ByteArrayInputStream byteStream = new ByteArrayInputStream(source)
         ) {

backend/src/main/java/io/metersphere/api/parse/old/JmeterDocumentParser.java

@@ -1,6 +1,7 @@
 package io.metersphere.api.parse.old;
 
 import io.metersphere.commons.utils.LogUtil;
+import io.metersphere.commons.utils.XMLUtils;
 import io.metersphere.jmeter.utils.ScriptEngineUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.w3c.dom.Document;
@@ -34,6 +35,7 @@ public class JmeterDocumentParser {
     public static byte[] parse(byte[] source) {
 
         DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
+        XMLUtils.setExpandEntityReferencesFalse(factory);
         try (
                 ByteArrayInputStream byteStream = new ByteArrayInputStream(source)
         ) {

backend/src/main/java/io/metersphere/api/service/MockConfigService.java

@@ -1347,10 +1347,12 @@ public class MockConfigService {
         boolean isXml = false;
         try {
             DocumentBuilderFactory documentBuilderFactory = DocumentBuilderFactory.newInstance();
+            XMLUtils.setExpandEntityReferencesFalse(documentBuilderFactory);
             DocumentBuilder builder = documentBuilderFactory.newDocumentBuilder();
             builder.parse(new InputSource(new ByteArrayInputStream(message.getBytes("utf-8"))));
             isXml = true;
         } catch (Exception e) {
+            e.printStackTrace();
         }
         return isXml;
     }

backend/src/main/java/io/metersphere/commons/utils/XMLUtils.java

@@ -4,11 +4,31 @@ import com.alibaba.fastjson.JSONArray;
 import com.alibaba.fastjson.JSONObject;
 import org.apache.commons.lang3.StringUtils;
 
+import javax.xml.parsers.DocumentBuilderFactory;
 import java.util.*;
 import java.util.regex.*;
 
 public class XMLUtils {
 
+    public static void setExpandEntityReferencesFalse(DocumentBuilderFactory documentBuilderFactory){
+        try {
+            String FEATURE = null;
+            FEATURE = "http://javax.xml.XMLConstants/feature/secure-processing";
+            documentBuilderFactory.setFeature(FEATURE, true);
+            FEATURE = "http://apache.org/xml/features/disallow-doctype-decl";
+            documentBuilderFactory.setFeature(FEATURE, true);
+            FEATURE = "http://xml.org/sax/features/external-parameter-entities";
+            documentBuilderFactory.setFeature(FEATURE, false);
+            FEATURE = "http://xml.org/sax/features/external-general-entities";
+            documentBuilderFactory.setFeature(FEATURE, false);
+            FEATURE = "http://apache.org/xml/features/nonvalidating/load-external-dtd";
+            documentBuilderFactory.setFeature(FEATURE, false);
+            documentBuilderFactory.setXIncludeAware(false);
+            documentBuilderFactory.setExpandEntityReferences(false);
+        }catch (Exception e){
+            LogUtil.error(e);
+        }
+    }
     private static void jsonToXmlStr(JSONObject jObj, StringBuffer buffer, StringBuffer tab) {
         Set<Map.Entry<String, Object>> se = jObj.entrySet();
         StringBuffer nowTab = new StringBuffer(tab.toString());