Disable XML Entity Expansions for unmarshalling #300
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Deprecates the constructor taking a set of schema resources.
Enables converting from already parsed DOM Document (e.g. from using DocumentBuilder), which is applicable for ad-hoc access to the parsed XML which is not captured into a JAXB type.
simenstoa
reviewed
Nov 1, 2023
| throw new IllegalArgumentException("No sources given for creating Schema. (schemaResourceNames was " + schemaResourceNames + ")"); | ||
| } | ||
| try { | ||
| SAXParserFactory parserFactory = SAXParserFactory.newInstance(); |
Contributor
There was a problem hiding this comment.
Hvorfor brukes ikke SaxParserProvider.createSecuredParserFactory(); her?
Member
Author
There was a problem hiding this comment.
Den kan den nok! Dette ble nok tatt ut i en egen util før SaxParserProvider var tilgjengelig. Will fix!
Accepting an existing InputStream for consuming, should not assume that the InputStream can be closed.
runeflobakk
force-pushed
the
disable-xml-entity-expansions
branch
from
acd6be0 to
a077a9b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Ensuring JAXB marshalling (in particular
Unmarshaller) uses a securely configured underlying XML parser, according to recommendations by OWASP.In addition, more generic support for customizing the
MarshallerandUnmarshaller, and setting schema used for validation is retrofitted into this facility. This is used by theBillionLaughsTestto inject the infamous Billion Laughs XXE attack header in order to test for the proper handling, i.e. not allowing a DOCTYPE header at all.One additional unmarshal method is added:
unmarshal(Node, Class). This allows for separating the XML-parsing to a general DOM-representation, and then afterwards unmarshal to a JAXB class from the already parsed DOM, instead of parsing the XML a second time.