Backport fix for #2589 as well as #1279, preparing for 2.6.7.4 micro-patch

cowtowncoder · cowtowncoder · commit b59b611f82c5 · 2020-10-24T19:46:17.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -4,12 +4,15 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
-2.6.7.4 (not yet released)
+2.6.7.4 (25-Oct-2020)
 
 Backported all CVE fixes up to 2.9.10.6
 
+#1279: Ensure DOM parsing defaults to not expanding external entities
 #2469: Block one more gadget type (xalan2)
 #2526: Block two more gadget types (ehcache/JNDI - CVE-2019-20330)
+#2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent external
+  entity expansion in all cases [CVE-2020-25649]
 #2620: Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840)
 #2631: Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
 #2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)
diff --git a/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/ext/DOMDeserializer.java
@@ -2,7 +2,9 @@
 
 import java.io.StringReader;
 
+import javax.xml.XMLConstants;
 import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
 
 import org.w3c.dom.Document;
 import org.w3c.dom.Node;
@@ -25,6 +27,25 @@ public abstract class DOMDeserializer<T> extends FromStringDeserializer<T>
         _parserFactory = DocumentBuilderFactory.newInstance();
         // yup, only cave men do XML without recognizing namespaces...
         _parserFactory.setNamespaceAware(true);
+        // [databind#1279]: make sure external entities NOT expanded by default
+        _parserFactory.setExpandEntityReferences(false);
+        // ... and in general, aim for "safety"
+        try {
+            _parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
+        } catch(ParserConfigurationException pce) {
+            // not much point to do anything; could log but...
+        } catch (Error e) {
+            // 14-Jul-2016, tatu: Not sure how or why, but during code coverage runs
+            //   (via Cobertura) we get `java.lang.AbstractMethodError` so... ignore that too
+        }
+
+        // [databind#2589] add two more settings just in case
+        try {
+            _parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
+        } catch (Throwable t) { } // as per previous one, nothing much to do
+        try {
+            _parserFactory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
+        } catch (Throwable t) { } // as per previous one, nothing much to do
     }
 
     protected DOMDeserializer(Class<T> cls) { super(cls); }
