Configure SAXParserFactory to avoid XXE references

#KT-51519 Fixed
JetBrains · Apr 2, 2022 · 9c78d57 · 9c78d57 · JamieSlome · Apr 11, 2022
1 parent d01e6b6
commit 9c78d57
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/compiler/cli/cli-common/src/org/jetbrains/kotlin/cli/common/modules/ModuleXmlParser.java b/compiler/cli/cli-common/src/org/jetbrains/kotlin/cli/common/modules/ModuleXmlParser.java
@@ -85,7 +85,12 @@ private void setCurrentState(@NotNull DefaultHandler currentState) {
     private ModuleChunk parse(@NotNull InputStream xml) {
         try {
             setCurrentState(initial);
-            SAXParser saxParser = SAXParserFactory.newInstance().newSAXParser();
+            SAXParserFactory factory = SAXParserFactory.newInstance();
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+            SAXParser saxParser = factory.newSAXParser();
             saxParser.parse(xml, new DelegatedSaxHandler() {
                 @NotNull
                 @Override

diff --git a/.../compiler-runner-unshaded/src/org/jetbrains/kotlin/compilerRunner/CompilerOutputParser.kt b/.../compiler-runner-unshaded/src/org/jetbrains/kotlin/compilerRunner/CompilerOutputParser.kt
@@ -30,7 +30,6 @@ import org.xml.sax.SAXException
 import org.xml.sax.helpers.DefaultHandler
 import java.io.IOException
 import java.io.Reader
-import java.util.*
 import javax.xml.parsers.SAXParserFactory
 
 object CompilerOutputParser {
@@ -59,6 +58,10 @@ object CompilerOutputParser {
         }
         try {
             val factory = SAXParserFactory.newInstance()
+            factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)
+            factory.setFeature("http://xml.org/sax/features/external-general-entities", false)
+            factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false)
+            factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false)
             val parser = factory.newSAXParser()
             parser.parse(InputSource(wrappingReader), CompilerOutputSAXHandler(messageCollector, collector))
         }