Skip to content

Commit

Permalink
dbeaver/dbeaver-ee#1166 prevent XXE
Browse files Browse the repository at this point in the history
  • Loading branch information
@n5a5
n5a5 committed Oct 4, 2021
1 parent db626f4 commit 4debf8f
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions bundles/org.jkiss.utils/src/org/jkiss/utils/xml/XMLUtils.java
View file
Expand Up @@ -17,6 +17,7 @@

package org.jkiss.utils.xml;

import javax.xml.XMLConstants;
import org.jkiss.code.NotNull;
import org.jkiss.code.Nullable;
import org.w3c.dom.Document;
Expand Down Expand Up @@ -62,6 +63,7 @@ public static Document parseDocument(InputSource source) throws XMLException {
try {
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
DocumentBuilder xmlBuilder = dbf.newDocumentBuilder();
dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
return xmlBuilder.parse(source);
} catch (Exception er) {
throw new XMLException("Error parsing XML document", er);
Expand Down

5 comments on commit 4debf8f

@JamieSlome
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@akilovich - @srikanthprathi has requested a CVE for this report (https://www.huntr.dev/bounties/a98264fb-1930-4c7c-b774-af24c0175fd4/)...

Are you happy for us to go ahead and arrange this?

@n5a5
Copy link
Member Author

@n5a5 n5a5 commented on 4debf8f Dec 13, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JamieSlome Hi. I don't quite understand what you mean. Can you elaborate on this a little bit?

@JamieSlome
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@akilovich - sure 👍

Because @srikanthprathi disclosed a valid security vulnerability to us, we are able to create a CVE for this report.

A CVE notifies developers using your package about this vulnerability, and the version that patches it as well.

You can read more about it here.

@n5a5
Copy link
Member Author

@n5a5 n5a5 commented on 4debf8f Dec 14, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JamieSlome Yes, you can proceed.

@JamieSlome
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@akilovich - CVE published! 🎉

CVE-2021-3836

Please sign in to comment.