fix(XML解析相关功能): 修复使用SAXReader导致的xxe攻击漏洞
修复使用SAXReader导致的xxe攻击漏洞
This commit is contained in:
parent
d119ec6e05
commit
d08d0c2158
|
@ -30,6 +30,7 @@ import io.metersphere.controller.request.ScheduleRequest;
|
||||||
import io.metersphere.dto.ScheduleDao;
|
import io.metersphere.dto.ScheduleDao;
|
||||||
import io.metersphere.i18n.Translator;
|
import io.metersphere.i18n.Translator;
|
||||||
import io.metersphere.job.sechedule.ApiTestJob;
|
import io.metersphere.job.sechedule.ApiTestJob;
|
||||||
|
import io.metersphere.performance.parse.EngineSourceParserFactory;
|
||||||
import io.metersphere.service.FileService;
|
import io.metersphere.service.FileService;
|
||||||
import io.metersphere.service.ScheduleService;
|
import io.metersphere.service.ScheduleService;
|
||||||
import io.metersphere.track.service.TestCaseService;
|
import io.metersphere.track.service.TestCaseService;
|
||||||
|
@ -465,7 +466,7 @@ public class APITestService {
|
||||||
//获取要转化的文件
|
//获取要转化的文件
|
||||||
List<String> attachmentFilePathList = new ArrayList<>();
|
List<String> attachmentFilePathList = new ArrayList<>();
|
||||||
try {
|
try {
|
||||||
Document doc = DocumentHelper.parseText(jmx);// 获取可续保保单列表报文模板
|
Document doc = EngineSourceParserFactory.getDocument(new ByteArrayInputStream(jmx.getBytes("utf-8")));
|
||||||
Element root = doc.getRootElement();
|
Element root = doc.getRootElement();
|
||||||
Element rootHashTreeElement = root.element("hashTree");
|
Element rootHashTreeElement = root.element("hashTree");
|
||||||
List<Element> innerHashTreeElementList = rootHashTreeElement.elements("hashTree");
|
List<Element> innerHashTreeElementList = rootHashTreeElement.elements("hashTree");
|
||||||
|
|
|
@ -34,6 +34,14 @@ public class EngineSourceParserFactory {
|
||||||
|
|
||||||
public static Document getDocument(InputStream source) throws DocumentException {
|
public static Document getDocument(InputStream source) throws DocumentException {
|
||||||
SAXReader reader = new SAXReader();
|
SAXReader reader = new SAXReader();
|
||||||
|
try {
|
||||||
|
reader.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
|
||||||
|
reader.setFeature("http://xml.org/sax/features/external-general-entities", false);
|
||||||
|
reader.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
|
||||||
|
reader.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
|
||||||
|
}catch (Exception e){
|
||||||
|
LogUtil.error(e);
|
||||||
|
}
|
||||||
if (!IS_TRANS) {
|
if (!IS_TRANS) {
|
||||||
reader.setXMLFilter(EngineSourceParserFactory.getFilter());
|
reader.setXMLFilter(EngineSourceParserFactory.getFilter());
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,9 +1,11 @@
|
||||||
package io.metersphere.xmind.parser;
|
package io.metersphere.xmind.parser;
|
||||||
|
|
||||||
|
import io.metersphere.performance.parse.EngineSourceParserFactory;
|
||||||
import org.dom4j.*;
|
import org.dom4j.*;
|
||||||
import org.json.JSONObject;
|
import org.json.JSONObject;
|
||||||
import org.json.XML;
|
import org.json.XML;
|
||||||
|
|
||||||
|
import java.io.ByteArrayInputStream;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
@ -32,7 +34,7 @@ public class XmindLegacy {
|
||||||
//去除自由风格主题
|
//去除自由风格主题
|
||||||
xmlContent = xmlContent.replaceAll("<topics type=\"detached\">", "");
|
xmlContent = xmlContent.replaceAll("<topics type=\"detached\">", "");
|
||||||
|
|
||||||
Document document = DocumentHelper.parseText(xmlContent);// 读取XML文件,获得document对象
|
Document document = EngineSourceParserFactory.getDocument(new ByteArrayInputStream(xmlContent.getBytes("utf-8")));// 读取XML文件,获得document对象
|
||||||
Element root = document.getRootElement();
|
Element root = document.getRootElement();
|
||||||
List<Node> topics = root.selectNodes("//topic");
|
List<Node> topics = root.selectNodes("//topic");
|
||||||
|
|
||||||
|
@ -41,7 +43,7 @@ public class XmindLegacy {
|
||||||
xmlComments = xmlComments.replace("xmlns=\"urn:xmind:xmap:xmlns:comments:2.0\"", "");
|
xmlComments = xmlComments.replace("xmlns=\"urn:xmind:xmap:xmlns:comments:2.0\"", "");
|
||||||
|
|
||||||
// 添加评论到content中
|
// 添加评论到content中
|
||||||
Document commentDocument = DocumentHelper.parseText(xmlComments);
|
Document commentDocument = EngineSourceParserFactory.getDocument(new ByteArrayInputStream(xmlComments.getBytes("utf-8")));
|
||||||
List<Node> commentsList = commentDocument.selectNodes("//comment");
|
List<Node> commentsList = commentDocument.selectNodes("//comment");
|
||||||
|
|
||||||
for (Node topic : topics) {
|
for (Node topic : topics) {
|
||||||
|
|
Loading…
Reference in New Issue